Feature: Create cert Secret and update KServe local gateway

[Jooho]

Description:

This is one of tasks for Private Endpoint Tasks (opendatahub-io/kserve#371)

This PR support the following:

• add Serving Cert annotation to runtime Service
• create the same secret that was created by Serving cert in the istio-system
• update kserve local gateway for the isvc

Jira: https://issues.redhat.com/browse/RHOAIENG-7921

(NOTE) Loopy was tested on fedora only.

Test

Env setup

• Using source

  mkdir /tmp/test
  cd /tmp/test
  git clone [email protected]:Jooho/loopy.git
  cd loopy
  make init  
  

• Using docker image

docker run --name loopy -it  quay.io/jooholee/loopy:latest /bin/bash

Create a cluster information script

cd loopy

cat cluster_info.sh
CLUSTER_CONSOLE_URL=https://console-openshift-console.XXXX
CLUSTER_API_URL=https://api.XXX:443
CLUSTER_ADMIN_ID=admin
CLUSTER_ADMIN_PW=password
CLUSTER_TOKEN=sha256~XXX
CLUSTER_TYPE=ROSA

Install Kserve with a new manifests

./loopy playbooks run  odh-stable-install-kserve-serverless-on-existing-cluster -p CUSTOM_KSERVE_MANIFESTS=https://github.com/jooho/kserve/tarball/test-manifest  -p CUSTOM_ODH_MODEL_CONTROLLER_MANIFESTS=https://github.com/jooho/odh-model-controller/tarball/test-manifests -vvv -i ./cluster.sh

Deploy sample sklearn model

./loopy units run test-kserve-sklearn-v2-iris-role -vvv -i ./cluster_info.sh 

Checks

1. Verify if runtime Service add serving cert annotation

oc get service sklearn-example-isvc-iris-v2-rest -ojsonpath='{.metadata.annotations}'

2. Verify if Serving Cert Secret is created

oc get secret sklearn-example-isvc-iris-v2-rest

3. Verify if Kserve gateway have the Server

kubectl get gateway kserve-local-gateway -n istio-system -o jsonpath='{.spec.servers[?(@.port.name=="sklearn-example-isvc-iris-v2-rest")]}'

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Jooho

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Jooho]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Jooho]

/test unit

[Jooho]

/test unit

[spolti]

this can be debug

[Jooho]

I referenced the other reconcile and they were using info so I followed it.

[spolti]

okay, but, on normal operation the fewer info messages we have the better.
IMHO, this is one example of informational messages that could be set to debug only.

[spolti]

here as well

[Jooho]

same here

[VedantMahabaleshwarkar]

I think the MutatingWebhook needs patches similar to what we have for the ValidatingWebhook.
field patch and webhook patch

[israel-hdez]

These are globals... I wonder if it won't lead to race conditions...

[Jooho]

make sense. I changed destSecretName,portName but I believe meshNamespace should be ok because it is always the same.

[Jooho]

updated.

[Jooho]

@israel-hdez FYI, I removed mutating webhook and re-add isvc_service_cert_reconciler because it turned out kserve controller rollback the annotation.

[Jooho]

/retest

[israel-hdez]

Adding some additional comment. It may be easy to just reply so that I understand better.

If you, by chance, would push some code changes, I saw some code commented in _test.go files. It would be good if you can clean-up them.

[israel-hdez]

Now that this code is back, the old comment still stands...

[israel-hdez]

Like my comment in the kserve_isvc_service_cert_reconciler.go around here, you may want a Watch on the controller.

...it happens that, typically, the model load takes more time than the provisioning of the certificate. Thus, the model status update would lead to also reconciling the gateway and the svc. So, skipping the Watch may sound fine, but it is still safer to add it (in case you find how). The motivation is the same as past review: I'm not sure if it is safe to make assumptions on timing/order of unrelated events.

[israel-hdez]

@bartoszmajsak @rcernich This will delete a no longer useful TLS secret and create a new update one with the same name (e.g. at rotation).

Do you know if the ingress gateway will reload it without any changes to the Gateway? Or does it need to have a new name, and the Gateway must be updated to effectively reload it?

[israel-hdez]

Without the Watch on the controller, I'm failing to understand how this will catch the certificate rotation, because looks like none of the watched & owned resources will be updated and a reconcile won't be triggered.

I think you should add these lines, over here so that units can catch this (in case there is an issue).

[Jooho]

As I commented from here, watch can not catch the Secret because it does not have the specific level. I need to think more to solve this rotation part but at the moment, Watch is not the right approach.

[Jooho]

This PR was somehow merged accidentally so I created another PR to follow up (#229)