Skip to content

Commit

Permalink
Implement installation and configuration of KServe prerequisites
Browse files Browse the repository at this point in the history 
KServe pre-requisites are:
* Service Mesh (Istio)
  * A minimal Control Plane is configured for KServe with only Pilot and default gateways.
  * An additional knative: ingressgateway is set for the Istio Ingress gateway workload.
  * Some ports are excluded from envoy to allow for metrics collection and KNative hooks.
  * Metrics collection is configured for Pilot and the gateways.
* Serverless (KNative)
  * Only serving components are needed from KNative.
  * For the most part, a typical Serving deployment is configured, with Istio as networking layer.
  * By default, a self-signed certificate is generated using the OpenShift Ingress domain. Users can provide their own secret with a production ready TLS certificate.

Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
  • Loading branch information
@israel-hdez
israel-hdez committed Nov 2, 2023
1 parent dcc6b91 commit 5223678
Show file tree
Hide file tree
Showing 27 changed files with 904 additions and 10 deletions.
15 changes: 14 additions & 1 deletion apis/dscinitialization/v1/dscinitialization_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,22 @@ type DSCInitializationSpec struct {
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=2
// +optional
Monitoring Monitoring `json:"monitoring,omitempty"`
// Configures Service Mesh as networking layer for Data Science Clusters components.
// The Service Mesh is a mandatory prerequisite for single model serving (KServe) and
// you should review this configuration if you are planning to use KServe.
// For other components, it enhances user experience; e.g. it provides unified
// authentication giving a Single Sign On experience.
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=3
// +optional
ServiceMesh ServiceMeshSpec `json:"serviceMesh,omitempty"`
// Configures Serverless (KNative Serving). This is a prerequisite for single model
// serving (KServe) and you should review this configuration if you are planning to use KServe.
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=4
// +optional
Serverless ServerlessSpec `json:"serverless,omitempty"`
// Internal development useful field to test customizations.
// This is not recommended to be used in production environment.
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=3
// +operator-sdk:csv:customresourcedefinitions:type=spec,order=5
// +optional
DevFlags DevFlags `json:"devFlags,omitempty"`
}
Expand Down
68 changes: 68 additions & 0 deletions apis/dscinitialization/v1/serverless_types.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
package v1

import operatorv1 "github.com/openshift/api/operator/v1"

// ServerlessSpec configures KNative components used in Open Data Hub. Specifically,
// KNative is used to enable single model serving (KServe).
type ServerlessSpec struct {
// +kubebuilder:validation:Enum=Managed;Removed
// +kubebuilder:default=Removed
ManagementState operatorv1.ManagementState `json:"managementState,omitempty"`
// Serving configures the KNative-Serving stack used for model serving. A Service
// Mesh (Istio) is prerequisite, since it is used as networking layer.
Serving ServingSpec `json:"serving,omitempty"`
}

// ServingSpec specifies the configuration for the KNative Serving components and their
// bindings with the Service Mesh.
type ServingSpec struct {
// Name specifies the name of the KNativeServing resource that is going to be
// created to instruct the KNative Operator to deploy KNative serving components.
// +kubebuilder:default=knative-serving
Name string `json:"name,omitempty"`
// Namespace specifies the namespace where the KNativeServing resource is going
// to be created.
// +kubebuilder:default=knative-serving
Namespace string `json:"namespace,omitempty"`
// LocalGatewayServiceName allows to customize the name of the Kubernetes Service that
// is going to be created for intra-cluster requests. The service is created in the
// Service Mesh namespace.
// +kubebuilder:default=knative-local-gateway
LocalGatewayServiceName string `json:"localGatewayServiceName,omitempty"`
// IngressGateway allows to customize some parameters for the Istio Ingress Gateway
// that is bound to KNative-Serving.
IngressGateway IngressGatewaySpec `json:"ingressGateway,omitempty"`
}

// IngressGatewaySpec represents the configuration of the KNative Ingress Gateway.
type IngressGatewaySpec struct {
// GatewaySelector specifies the label selector to choose the Istio Ingress Gateway to use
// for intercepting incoming requests. If unset, the selector knative=ingressgateway is used.
// GatewaySelector map[string]string `json:"selector,omitempty"`

// Domain specifies the DNS name for intercepting ingress requests coming from
// outside the cluster. Most likely, you will want to use a wildcard name,
// like *.example.com. If not set, the domain of the OpenShift Ingress is used.
// If you choose to generate a certificate, this is the domain used for the certificate request.
Domain string `json:"domain,omitempty"`
// Certificate specifies configuration about the location of the TLS certificate and
// if a certificate would be generated.
Certificate CertificateSpec `json:"certificate,omitempty"`
}

// CertificateSpec represents the specification of the certificate securing communications of
// the Istio Ingress Gateway for the KNative network.
type CertificateSpec struct {
// SecretName specifies the name of the Kubernetes Secret resource that contains a
// TLS certificate secure HTTP communications for the KNative network.
// +kubebuilder:default=knative-serving-cert
SecretName string `json:"secretName,omitempty"`
// Generate specifies if the TLS certificate should be generated automatically using an own private
// key. The private key is going to be stored in a secret with the same name as the
// TLS certificate plus the "-key" suffix (e.g. knative-serving-cert-key).
// If this value is set to None, pre-existence of the TLS Secret (SecretName) with a
// valid certificate is assumed.
// +kubebuilder:validation:Enum=SelfSigned;None
// +kubebuilder:default=SelfSigned
Generate string `json:"generate,omitempty"`
}
28 changes: 28 additions & 0 deletions apis/dscinitialization/v1/servicemesh_types.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
package v1

import operatorv1 "github.com/openshift/api/operator/v1"

// ServiceMeshSpec configures Service Mesh.
type ServiceMeshSpec struct {
// +kubebuilder:validation:Enum=Managed;Removed
// +kubebuilder:default=Removed
ManagementState operatorv1.ManagementState `json:"managementState,omitempty"`
// Mesh holds configuration of Service Mesh used by Opendatahub.
Mesh MeshSpec `json:"mesh,omitempty"`
}

type MeshSpec struct {
// Name is a name Service Mesh Control Plane. Defaults to "minimal".
// +kubebuilder:default=data-science-smcp
Name string `json:"name,omitempty"`
// Namespace is a namespace where Service Mesh is deployed. Defaults to "istio-system".
// +kubebuilder:default=istio-system
Namespace string `json:"namespace,omitempty"`
// MetricsCollection specifies if metrics from components on the Mesh namespace
// should be collected. Setting the value to "Istio" will collect metrics from the
// control plane and any proxies on the Mesh namespace (like gateway pods). Setting
// to "None" will disable metrics collection.
// +kubebuilder:validation:Enum=Istio;None
// +kubebuilder:default=Istio
MetricsCollection string `json:"monitoring,omitempty"`
}
96 changes: 96 additions & 0 deletions apis/dscinitialization/v1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

118 changes: 118 additions & 0 deletions config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,124 @@ spec:
description: Namespace for monitoring if it is enabled
type: string
type: object
serverless:
description: Configures Serverless (KNative Serving). This is a prerequisite
for single model serving (KServe) and you should review this configuration
if you are planning to use KServe.
properties:
managementState:
default: Removed
enum:
- Managed
- Removed
pattern: ^(Managed|Unmanaged|Force|Removed)$
type: string
serving:
description: Serving configures the KNative-Serving stack used
for model serving. A Service Mesh (Istio) is prerequisite, since
it is used as networking layer.
properties:
ingressGateway:
description: IngressGateway allows to customize some parameters
for the Istio Ingress Gateway that is bound to KNative-Serving.
properties:
certificate:
description: Certificate specifies configuration about
the location of the TLS certificate and if a certificate
would be generated.
properties:
generate:
default: SelfSigned
description: Generate specifies if the TLS certificate
should be generated automatically using an own private
key. The private key is going to be stored in a
secret with the same name as the TLS certificate
plus the "-key" suffix (e.g. knative-serving-cert-key).
If this value is set to None, pre-existence of the
TLS Secret (SecretName) with a valid certificate
is assumed.
enum:
- SelfSigned
- None
type: string
secretName:
default: knative-serving-cert
description: SecretName specifies the name of the
Kubernetes Secret resource that contains a TLS certificate
secure HTTP communications for the KNative network.
type: string
type: object
domain:
description: Domain specifies the DNS name for intercepting
ingress requests coming from outside the cluster. Most
likely, you will want to use a wildcard name, like *.example.com.
If not set, the domain of the OpenShift Ingress is used.
If you choose to generate a certificate, this is the
domain used for the certificate request.
type: string
type: object
localGatewayServiceName:
default: knative-local-gateway
description: LocalGatewayServiceName allows to customize the
name of the Kubernetes Service that is going to be created
for intra-cluster requests. The service is created in the
Service Mesh namespace.
type: string
name:
default: knative-serving
description: Name specifies the name of the KNativeServing
resource that is going to be created to instruct the KNative
Operator to deploy KNative serving components.
type: string
namespace:
default: knative-serving
description: Namespace specifies the namespace where the KNativeServing
resource is going to be created.
type: string
type: object
type: object
serviceMesh:
description: Configures Service Mesh as networking layer for Data
Science Clusters components. The Service Mesh is a mandatory prerequisite
for single model serving (KServe) and you should review this configuration
if you are planning to use KServe. For other components, it enhances
user experience; e.g. it provides unified authentication giving
a Single Sign On experience.
properties:
managementState:
default: Removed
enum:
- Managed
- Removed
pattern: ^(Managed|Unmanaged|Force|Removed)$
type: string
mesh:
description: Mesh holds configuration of Service Mesh used by
Opendatahub.
properties:
monitoring:
default: Istio
description: MetricsCollection specifies if metrics from components
on the Mesh namespace should be collected. Setting the value
to "Istio" will collect metrics from the control plane and
any proxies on the Mesh namespace (like gateway pods). Setting
to "None" will disable metrics collection.
enum:
- Istio
- None
type: string
name:
default: data-science-smcp
description: Name is a name Service Mesh Control Plane. Defaults
to "minimal".
type: string
namespace:
default: istio-system
description: Namespace is a namespace where Service Mesh is
deployed. Defaults to "istio-system".
type: string
type: object
type: object
required:
- applicationsNamespace
type: object
Expand Down
Loading

0 comments on commit 5223678

Please sign in to comment.