Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: Create cert Secret and update KServe local gateway #221

Merged
merged 16 commits into from
Jun 27, 2024
Merged

Feature: Create cert Secret and update KServe local gateway #221

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
16789f0
add isvc service cert reconciler
Jooho Jun 11, 2024
455d439
add gateway reconcile, update minor comments, fix some minor issue
Jooho Jun 12, 2024
b635890
Merge branch 'odh_main' into internal_hostname_gateway
Jooho Jun 14, 2024
74d153a
fix merging conflict with the latest main branch
Jooho Jun 14, 2024
5543c65
minor change based on the comments
Jooho Jun 14, 2024
c0062aa
follow up more comments
Jooho Jun 19, 2024
69fa39e
gateway name change,unit test use eventually
Jooho Jun 20, 2024
5390771
add cert rotate test
Jooho Jun 21, 2024
2f6fd34
Merge branch 'main' into internal_hostname_gateway
Jooho Jun 21, 2024
d87ed6d
fix merging conflict
Jooho Jun 21, 2024
bef905f
Merge branch 'main' into internal_hostname_gateway
Jooho Jun 22, 2024
572b8f8
fix merging main branch conflict
Jooho Jun 22, 2024
de1451c
follow up comments
Jooho Jun 22, 2024
1de88b0
remove webhook and add the isvc_service_cert_reconciler again
Jooho Jun 22, 2024
13b5def
remove watches and use clientset to get a secret that is not cached
Jooho Jun 22, 2024
ca3d224
Add clientReader to get a secret that is not cached by manager
Jooho Jun 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
258 changes: 258 additions & 0 deletions config/crd/external/gateways.networking.istio.io.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,258 @@
apiVersion: apiextensions.k8s.io/v1
Jooho marked this conversation as resolved.
Show resolved Hide resolved
kind: CustomResourceDefinition
metadata:
labels:
app: istio-pilot
chart: istio
heritage: Tiller
maistra-version: 2.5.2
release: istio
name: gateways.networking.istio.io
spec:
conversion:
strategy: None
group: networking.istio.io
names:
categories:
- istio-io
- networking-istio-io
kind: Gateway
listKind: GatewayList
plural: gateways
shortNames:
- gw
singular: gateway
scope: Namespaced
versions:
- name: v1alpha3
schema:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting edge load balancer. See more details
at: https://istio.io/docs/reference/config/networking/gateway.html'
properties:
selector:
additionalProperties:
type: string
type: object
servers:
description: A list of server specifications.
items:
properties:
bind:
type: string
defaultEndpoint:
type: string
hosts:
description: One or more hosts exposed by this gateway.
items:
type: string
type: array
name:
description: An optional name of the server, when set must be
unique across all servers.
type: string
port:
properties:
name:
description: Label assigned to the port.
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
type: string
targetPort:
type: integer
type: object
tls:
description: Set of TLS related options that govern the server's
behavior.
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL`.
type: string
cipherSuites:
description: 'Optional: If specified, only support the specified
cipher list.'
items:
type: string
type: array
credentialName:
type: string
httpsRedirect:
type: boolean
maxProtocolVersion:
description: 'Optional: Maximum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
minProtocolVersion:
description: 'Optional: Minimum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
mode:
enum:
- PASSTHROUGH
- SIMPLE
- MUTUAL
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
type: string
serverCertificate:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
type: string
subjectAltNames:
items:
type: string
type: array
verifyCertificateHash:
items:
type: string
type: array
verifyCertificateSpki:
items:
type: string
type: array
type: object
type: object
type: array
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
properties:
spec:
description: 'Configuration affecting edge load balancer. See more details
at: https://istio.io/docs/reference/config/networking/gateway.html'
properties:
selector:
additionalProperties:
type: string
type: object
servers:
description: A list of server specifications.
items:
properties:
bind:
type: string
defaultEndpoint:
type: string
hosts:
description: One or more hosts exposed by this gateway.
items:
type: string
type: array
name:
description: An optional name of the server, when set must be
unique across all servers.
type: string
port:
properties:
name:
description: Label assigned to the port.
type: string
number:
description: A valid non-negative integer port number.
type: integer
protocol:
description: The protocol exposed on the port.
type: string
targetPort:
type: integer
type: object
tls:
description: Set of TLS related options that govern the server's
behavior.
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL`.
type: string
cipherSuites:
description: 'Optional: If specified, only support the specified
cipher list.'
items:
type: string
type: array
credentialName:
type: string
httpsRedirect:
type: boolean
maxProtocolVersion:
description: 'Optional: Maximum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
minProtocolVersion:
description: 'Optional: Minimum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
mode:
enum:
- PASSTHROUGH
- SIMPLE
- MUTUAL
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
type: string
serverCertificate:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
type: string
subjectAltNames:
items:
type: string
type: array
verifyCertificateHash:
items:
type: string
type: array
verifyCertificateSpki:
items:
type: string
type: array
type: object
type: object
type: array
type: object
status:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: false
subresources:
status: {}
9 changes: 5 additions & 4 deletions config/manager/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
resources:
- manager.yaml
- manager.yaml

generatorOptions:
disableNameSuffixHash: true

configMapGenerator:
- files:
- controller_manager_config.yaml
name: manager-config
- files:
- controller_manager_config.yaml
name: manager-config

10 changes: 10 additions & 0 deletions config/rbac/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,16 @@ rules:
- patch
- update
- watch
- apiGroups:
- networking.istio.io
resources:
- gateways
verbs:
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.istio.io
resources:
Expand Down
2 changes: 0 additions & 2 deletions config/webhook/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ resources:
- manifests.yaml
- service.yaml


patches:
- path: webhook_patch.yaml
target:
Expand All @@ -19,4 +18,3 @@ patches:
kind: ValidatingWebhookConfiguration
name: validating-webhook-configuration
version: v1

1 change: 0 additions & 1 deletion config/webhook/webhook_patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,3 @@ webhooks:
matchExpressions:
- key: serving.kserve.io/inferenceservice
operator: Exists

44 changes: 44 additions & 0 deletions controllers/comparators/gateway_comparator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
/*

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package comparators

import (
istiov1beta1 "istio.io/api/networking/v1beta1"
istioclientv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
"sigs.k8s.io/controller-runtime/pkg/client"
)

func GetGatewayComparator() ResourceComparator {
return func(existing client.Object, desired client.Object) bool {
existingGateway := existing.(*istioclientv1beta1.Gateway)
desiredGateway := desired.(*istioclientv1beta1.Gateway)

exists := false
for _, server := range existingGateway.Spec.Servers {
if serversEqual(server, desiredGateway.Spec.Servers[0]) {
exists = true
break
}
}

return exists
}
}

// serversEquals compare if the inferenceservice name matches got the given resources
func serversEqual(s1, s2 *istiov1beta1.Server) bool {
return s1.Port.Name == s2.Port.Name
}
6 changes: 6 additions & 0 deletions controllers/constants/constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ const (
KServeCACertConfigMapName = "odh-kserve-custom-ca-bundle"
ODHGlobalCertConfigMapName = "odh-trusted-ca-bundle"
ODHCustomCACertFileName = "odh-ca-bundle.crt"
KServeGatewayName = "kserve-local-gateway"
Jooho marked this conversation as resolved.
Show resolved Hide resolved
)

const (
Expand All @@ -59,3 +60,8 @@ const (
VllmImageName = "vllm"
CaikitImageName = "caikit-nlp"
)

// openshift
const (
ServingCertAnnotationKey = "service.beta.openshift.io/serving-cert-secret-name"
)
Loading