feat(ossm): adds OSSM annotations to the relevant cluster resources

backend/src/routes/api/namespaces/namespaceUtils.ts

@@ -2,6 +2,7 @@ import { PatchUtils, V1SelfSubjectAccessReview } from '@kubernetes/client-node';
 import { NamespaceApplicationCase } from './const';
 import { K8sStatus, KubeFastifyInstance, OauthFastifyRequest } from '../../../types';
 import { createCustomError } from '../../../utils/requestUtils';
+import { featureFlagEnabled, getDashboardConfig } from '../../../utils/resourceUtils';
 import { isK8sStatus, safeURLPassThrough } from '../k8s/pass-through';
 
 const checkNamespacePermission = (
@@ -60,13 +61,22 @@ export const applyNamespaceChange = async (
     throw createCustomError('Forbidden', "You don't have the access to update the namespace", 403);
   }
 
+  // calling featureFlagEnabled to set the bool to false if it's set to anything but false ('true', undefined, etc)
+  const enableServiceMesh = featureFlagEnabled(
+    getDashboardConfig().spec.dashboardConfig.disableServiceMesh,
+  );
+
   let labels = {};
+  let annotations = {};
   switch (context) {
     case NamespaceApplicationCase.DSG_CREATION:
       labels = {
         'opendatahub.io/dashboard': 'true',
         'modelmesh-enabled': 'true',
       };
+      annotations = {
+        'opendatahub.io/service-mesh': String(enableServiceMesh),
+      };
       break;
     case NamespaceApplicationCase.MODEL_SERVING_PROMOTION:
       labels = {
@@ -78,9 +88,17 @@ export const applyNamespaceChange = async (
   }
 
   return fastify.kube.coreV1Api
-    .patchNamespace(name, { metadata: { labels } }, undefined, undefined, undefined, undefined, {
-      headers: { 'Content-type': PatchUtils.PATCH_FORMAT_JSON_MERGE_PATCH },
-    })
+    .patchNamespace(
+      name,
+      { metadata: { labels, annotations } },
+      undefined,
+      undefined,
+      undefined,
+      undefined,
+      {
+        headers: { 'Content-type': PatchUtils.PATCH_FORMAT_JSON_MERGE_PATCH },
+      },
+    )
     .then(() => ({ applied: true }))
     .catch((e) => {
       fastify.log.error(

backend/src/routes/api/notebooks/utils.ts

@@ -1,14 +1,16 @@
-import { KubeFastifyInstance, Notebook, NotebookData, Route } from '../../../types';
+import { KubeFastifyInstance, Notebook, NotebookData } from '../../../types';
 import { PatchUtils, V1ContainerStatus, V1Pod, V1PodList } from '@kubernetes/client-node';
 import { createCustomError } from '../../../utils/requestUtils';
 import { getUserName } from '../../../utils/userUtils';
 import { RecursivePartial } from '../../../typeHelpers';
+import { featureFlagEnabled, getDashboardConfig } from '../../../utils/resourceUtils';
 import {
   createNotebook,
   generateNotebookNameFromUsername,
   getNamespaces,
   getNotebook,
   getRoute,
+  getServiceMeshGwHost,
   updateNotebook,
 } from '../../../utils/notebookUtils';
 import { FastifyRequest } from 'fastify';
@@ -27,12 +29,24 @@ export const getNotebookStatus = async (
   const notebookName = notebook?.metadata.name;
   let newNotebook: Notebook;
   if (isRunning && !notebook?.metadata.annotations?.['opendatahub.io/link']) {
-    const route = await getRoute(fastify, namespace, notebookName).catch((e) => {
-      fastify.log.warn(`Failed getting route ${notebookName}: ${e.message}`);
-      return undefined;
-    });
-    if (route) {
-      newNotebook = await patchNotebookRoute(fastify, route, namespace, notebookName).catch((e) => {
+    const enableServiceMesh = featureFlagEnabled(
+      getDashboardConfig().spec.dashboardConfig.disableServiceMesh,
+    );
+    let host: string;
+    if (enableServiceMesh) {
+      host = await getServiceMeshGwHost(fastify, namespace).catch((e) => {
+        fastify.log.warn(`Failed getting route ${notebookName}: ${e.message}`);
+        return undefined;
+      });
+    } else {
+      const route = await getRoute(fastify, namespace, notebookName).catch((e) => {
+        fastify.log.warn(`Failed getting route ${notebookName}: ${e.message}`);
+        return undefined;
+      });
+      host = route?.spec.host;
+    }
+    if (host) {
+      newNotebook = await patchNotebookRoute(fastify, host, namespace, notebookName).catch((e) => {
         fastify.log.warn(`Failed patching route to notebook ${notebookName}: ${e.message}`);
         return notebook;
       });
@@ -71,14 +85,14 @@ export const checkPodContainersReady = (pod: V1Pod): boolean => {
 
 export const patchNotebookRoute = async (
   fastify: KubeFastifyInstance,
-  route: Route,
+  host: string,
   namespace: string,
   name: string,
 ): Promise<Notebook> => {
   const patch: RecursivePartial<Notebook> = {
     metadata: {
       annotations: {
-        'opendatahub.io/link': `https://${route.spec.host}/notebook/${namespace}/${name}`,
+        'opendatahub.io/link': `https://${host}/notebook/${namespace}/${name}/`,
       },
     },
   };

backend/src/types.ts

@@ -27,6 +27,7 @@ export type DashboardConfig = K8sResourceCommon & {
       disableModelServing: boolean;
       disableProjectSharing: boolean;
       disableCustomServingRuntimes: boolean;
+      disableServiceMesh: boolean;
       modelMetricsNamespace: string;
       disablePipelines: boolean;
     };
@@ -410,6 +411,9 @@ export type Notebook = K8sResourceCommon & {
       'opendatahub.io/link': string; // redirect notebook url
       'opendatahub.io/username': string; // the untranslated username behind the notebook
 
+      // Openshift Service Mesh specific annotations. They're needed to orchestrate additional resources for nb namespaces.
+      'opendatahub.io/service-mesh': string;
+
       // TODO: Can we get this from the data in the Notebook??
       'notebooks.opendatahub.io/last-image-selection': string; // the last image they selected
       'notebooks.opendatahub.io/last-size-selection': string; // the last notebook size they selected

backend/src/utils/constants.ts

@@ -51,6 +51,7 @@ export const blankDashboardCR: DashboardConfig = {
       disableModelServing: false,
       disableProjectSharing: false,
       disableCustomServingRuntimes: false,
+      disableServiceMesh: true,
       modelMetricsNamespace: '',
       disablePipelines: false,
     },

backend/src/utils/notebookUtils.ts

@@ -1,4 +1,4 @@
-import { getDashboardConfig } from './resourceUtils';
+import { featureFlagEnabled, getDashboardConfig } from './resourceUtils';
 import {
   EnvironmentVariable,
   ImageInfo,
@@ -21,6 +21,7 @@ import { getUserName, usernameTranslate } from './userUtils';
 import { createCustomError } from './requestUtils';
 import {
   PatchUtils,
+  V1Namespace,
   V1PersistentVolumeClaim,
   V1Role,
   V1RoleBinding,
@@ -68,6 +69,35 @@ export const getRoute = async (
   return kubeResponse.body as Route;
 };
 
+export const getServiceMeshGwHost = async (
+  fastify: KubeFastifyInstance,
+  namespace: string,
+): Promise<string> => {
+  const kubeResponse = await fastify.kube.coreV1Api.readNamespace(namespace).catch((res) => {
+    const e = res.response.body;
+    const error = createCustomError('Error getting Namespace', e.message, e.code);
+    fastify.log.error(error);
+    throw error;
+  });
+
+  const body = kubeResponse.body as unknown;
+  const typedResponse = body as V1Namespace;
+
+  const annotations = typedResponse.metadata?.annotations;
+
+  if (!annotations || !annotations['service-mesh.opendatahub.io/public-gateway-host-external']) {
+    const error = createCustomError(
+      'Annotation not found',
+      `Could not find annotation 'service-mesh.opendatahub.io/public-gateway-host-external' for namespace: ${namespace}`,
+      404,
+    );
+    fastify.log.error(error);
+    throw error;
+  }
+
+  return annotations['service-mesh.opendatahub.io/public-gateway-host-external'];
+};
+
 export const createRBAC = async (
   fastify: KubeFastifyInstance,
   namespace: string,
@@ -256,6 +286,10 @@ export const assembleNotebook = async (
     },
   }));
 
+  const serviceMeshEnabled = String(
+    !featureFlagEnabled(getDashboardConfig().spec?.dashboardConfig?.disableServiceMesh),
+  );
+
   return {
     apiVersion: 'kubeflow.org/v1',
     kind: 'Notebook',
@@ -265,12 +299,15 @@ export const assembleNotebook = async (
         'opendatahub.io/odh-managed': 'true',
         'opendatahub.io/user': translatedUsername,
         'opendatahub.io/dashboard': 'true',
+        'sidecar.istio.io/inject': String(serviceMeshEnabled),
       },
       annotations: {
         'notebooks.opendatahub.io/oauth-logout-url': `${url}/notebookController/${translatedUsername}/home`,
         'notebooks.opendatahub.io/last-size-selection': notebookSize.name,
         'notebooks.opendatahub.io/last-image-selection': imageSelection,
+        'notebooks.opendatahub.io/inject-oauth': String(!serviceMeshEnabled),
         'opendatahub.io/username': username,
+        'opendatahub.io/service-mesh': serviceMeshEnabled,
         'kubeflow-resource-stopped': null,
       },
       name: name,
@@ -419,6 +456,8 @@ export const createNotebook = async (
   url: string,
   notebookData?: NotebookData,
 ): Promise<Notebook> => {
+  const config = getDashboardConfig();
+
   if (!notebookData) {
     const error = createCustomError(
       'Missing Notebook',
@@ -444,7 +483,14 @@ export const createNotebook = async (
     notebookAssembled.metadata.annotations = {};
   }
 
-  notebookAssembled.metadata.annotations['notebooks.opendatahub.io/inject-oauth'] = 'true';
+  const enableServiceMesh = featureFlagEnabled(config.spec.dashboardConfig.disableServiceMesh);
+
+  notebookAssembled.metadata.annotations['notebooks.opendatahub.io/inject-oauth'] = String(
+    !enableServiceMesh,
+  );
+  notebookAssembled.metadata.annotations['opendatahub.io/service-mesh'] = String(enableServiceMesh);
+  notebookAssembled.metadata.labels['sidecar.istio.io/inject'] = String(enableServiceMesh);
+
   const notebookContainers = notebookAssembled.spec.template.spec.containers;
 
   if (!notebookContainers[0]) {

backend/src/utils/resourceUtils.ts

@@ -590,6 +590,9 @@ export const getDashboardConfig = (): DashboardConfig => {
   return dashboardConfigWatcher.getResources()?.[0];
 };
 
+export const featureFlagEnabled = (disabledSettingState?: boolean): boolean =>
+  disabledSettingState === false;
+
 export const updateDashboardConfig = (): Promise<void> => {
   return dashboardConfigWatcher.updateResults();
 };

docs/dashboard_config.md

@@ -23,6 +23,7 @@ The following are a list of features that are supported, along with there defaul
 | disableProjectSharing        | false   | Disables Project Sharing from Data Science Projects.                                                 |
 | disableCustomServingRuntimes | false   | Disables Custom Serving Runtimes from the Admin Panel.                                               |
 | modelMetricsNamespace        | false   | Enables the namespace in which the Model Serving Metrics' Prometheus Operator is installed.          |
+| disableServiceMesh           | true    | Disables use of service mesh for routing and authorization.                                          |
 
 ## Defaults
 

frontend/src/__mocks__/mockDashboardConfig.ts

@@ -51,6 +51,7 @@ export const mockDashboardConfig = ({
       disableProjects,
       disableModelServing,
       disableCustomServingRuntimes,
+      disableServiceMesh: true,
       modelMetricsNamespace: 'test-project',
       disablePipelines: false,
       disableProjectSharing: false,