-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(kserve): automates installation and configuration of KServe prerequisites #691
feat(kserve): automates installation and configuration of KServe prerequisites #691
Conversation
pkg/feature/templates/serverless/serving-install/knative-serving.tmpl
Outdated
Show resolved
Hide resolved
KServe pre-requisites are: * Service Mesh (Istio) * A minimal Control Plane is configured for KServe with only Pilot and default gateways. * An additional knative: ingressgateway is set for the Istio Ingress gateway workload. * Some ports are excluded from envoy to allow for metrics collection and KNative hooks. * Metrics collection is configured for Pilot and the gateways. * Serverless (KNative) * Only serving components are needed from KNative. * For the most part, a typical Serving deployment is configured, with Istio as networking layer. * By default, a self-signed certificate is generated using the OpenShift Ingress domain. Users can provide their own secret with a production ready TLS certificate. Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
5223678
to
1d7055f
Compare
pkg/feature/templates/serverless/serving-istio-gateways/local-gateway-svc.tmpl
Show resolved
Hide resolved
ref #666 |
pkg/feature/templates/servicemesh/metrics-collection/pilot-metrics-collection.tmpl
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all the great work! I have shared a few things worth considering before we merge it.
FWIW: There are some tests you might want to include as part of this PR (and perhaps write some more) - have a look here https://github.com/maistra/opendatahub-operator/blob/service-mesh-integration/tests/integration/servicemesh/service_mesh_setup_features_int_test.go
pkg/feature/templates/servicemesh/metrics-collection/envoy-metrics-collection.tmpl
Outdated
Show resolved
Hide resolved
pkg/feature/templates/servicemesh/metrics-collection/pilot-metrics-collection.tmpl
Outdated
Show resolved
Hide resolved
b949942
to
c241750
Compare
* Implement EnsureServerlessAbsent func. * Fix PR feedback. * Revert get_all_manifests.sh Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
c241750
to
b971312
Compare
@bartoszmajsak Definitely! Let me work on the tests on my Tuesday. Although, I'll let the operator team to decide if we are good to merge while I work on the tests. I know there is a scheduled release planned for this week. |
/retest |
@Jooho this is ready for testing. |
// +kubebuilder:validation:Enum=Kubernetes;ThirdParty | ||
// +kubebuilder:default=Kubernetes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we can't pull maistra/api
for this purpose? https://github.com/maistra/istio-operator/blob/d922eece2343343e27016ea0d498bda36bfa64d8/pkg/apis/maistra/v2/security.go#L202-L209
One big question I have in mind is that with these kind of settings, we are drifting away from a potential support of upstream Istio and locking it to Opesnhift Service Mesh.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This options seems to be related to this: https://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens.
If it is, I think it still would be applicable to upstream.
Upstream docs seem to have a hint about automating this: looks like a check against the TokenRequest
API would tell if we can use ThirdParty
. Perhaps we should set this to ThirdParty
unless the TokenRequest
API is not available. From those upstream docs, it looks like ThirdParty
should be preferred over first party. Although, I'm not sure what really would be the recommendation on Maistra.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is related, but wrapped in Maistra config/objects. How did you test it thus far without this feature as it is defaulting to Kubernetes (first-party-jwt)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mainly use a non-ROSA cluster, so first party tokens are OK.
And... well... I haven't tested this on ROSA. I'm just trusting this change would be enough on ROSA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i set it to ThirdParty in my ROSA cluster and it created the 3 featuretrackers ( not enable monitoring one)
previously when not set it (fall back to Kubernetes) had issue to set FTer up
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Conclusion: we will document this scenario rather than expose it as a config in DSCI. Relevant docs on OSSM side: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html-single/service_mesh/index#ossm-install-rosa_ossm-create-smcp
/cc @danielezonca
@zdtsw @VaishnaviHire It's essential that we establish a consensus on key principles moving forward. From my perspective, every significant modification should come with automated tests. Without this, we not only waste valuable time on manual verification but also do not build safety net against potential regressions. The V2 overhaul presents us with an excellent chance to lay down a foundation of high-quality codebase. This, in turn, will enable us to develop exceptional tools for OpenDataHub moving forward. |
Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
Pushed commit to fix @zdtsw comments. |
I see 2 approaches:
@danielezonca @israel-hdez @VaishnaviHire @bartoszmajsak |
If we decide to make it all enabled by default it will mean having service mesh config enabled by default in DSCI too. I cannot answer from the requirements perspective what is preferred way. Perhaps @danielezonca can. With that said I would rather make an issue and raise another PR as it seems like an improvement to me rather than an important fix. |
to update: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bartoszmajsak, cam-garrison, spolti, VaishnaviHire, zdtsw The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…equisites (opendatahub-io#691) * Implement installation and configuration of KServe prerequisites KServe pre-requisites are: * Service Mesh (Istio) * A minimal Control Plane is configured for KServe with only Pilot and default gateways. * An additional knative: ingressgateway is set for the Istio Ingress gateway workload. * Some ports are excluded from envoy to allow for metrics collection and KNative hooks. * Metrics collection is configured for Pilot and the gateways. * Serverless (KNative) * Only serving components are needed from KNative. * For the most part, a typical Serving deployment is configured, with Istio as networking layer. * By default, a self-signed certificate is generated using the OpenShift Ingress domain. Users can provide their own secret with a production ready TLS certificate. Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * chore: updates apis/dscinitialization/v1/servicemesh_types.go Co-authored-by: Cameron Garrison <cgarriso@redhat.com> * wip: serverless as part of kserve * chore: removes identitytype from CRD * feat: ensures that serverless config is removed when KServe is enabled * chore: checks if service mesh is configured when serving is enabled * fix: returns error on fail to remove serverless * chore(dsci): attempts to reduce test flakyness * chore: removes misleading TODO * Fix Dockerfile Add new COPY statement, due to the new `infrastructure` directory Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * chore: regenerates bundle --------- Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> Co-authored-by: Bartosz Majsak <bartosz.majsak@gmail.com> Co-authored-by: Cameron Garrison <cgarriso@redhat.com>
…equisites (opendatahub-io#691) * Implement installation and configuration of KServe prerequisites KServe pre-requisites are: * Service Mesh (Istio) * A minimal Control Plane is configured for KServe with only Pilot and default gateways. * An additional knative: ingressgateway is set for the Istio Ingress gateway workload. * Some ports are excluded from envoy to allow for metrics collection and KNative hooks. * Metrics collection is configured for Pilot and the gateways. * Serverless (KNative) * Only serving components are needed from KNative. * For the most part, a typical Serving deployment is configured, with Istio as networking layer. * By default, a self-signed certificate is generated using the OpenShift Ingress domain. Users can provide their own secret with a production ready TLS certificate. Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * chore: updates apis/dscinitialization/v1/servicemesh_types.go Co-authored-by: Cameron Garrison <cgarriso@redhat.com> * wip: serverless as part of kserve * chore: removes identitytype from CRD * feat: ensures that serverless config is removed when KServe is enabled * chore: checks if service mesh is configured when serving is enabled * fix: returns error on fail to remove serverless * chore(dsci): attempts to reduce test flakyness * chore: removes misleading TODO * Fix Dockerfile Add new COPY statement, due to the new `infrastructure` directory Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * chore: regenerates bundle --------- Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> Co-authored-by: Bartosz Majsak <bartosz.majsak@gmail.com> Co-authored-by: Cameron Garrison <cgarriso@redhat.com>
* feat(kserve): automates installation and configuration of KServe prerequisites (opendatahub-io#691) * Implement installation and configuration of KServe prerequisites KServe pre-requisites are: * Service Mesh (Istio) * A minimal Control Plane is configured for KServe with only Pilot and default gateways. * An additional knative: ingressgateway is set for the Istio Ingress gateway workload. * Some ports are excluded from envoy to allow for metrics collection and KNative hooks. * Metrics collection is configured for Pilot and the gateways. * Serverless (KNative) * Only serving components are needed from KNative. * For the most part, a typical Serving deployment is configured, with Istio as networking layer. * By default, a self-signed certificate is generated using the OpenShift Ingress domain. Users can provide their own secret with a production ready TLS certificate. Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * chore: updates apis/dscinitialization/v1/servicemesh_types.go Co-authored-by: Cameron Garrison <cgarriso@redhat.com> * wip: serverless as part of kserve * chore: removes identitytype from CRD * feat: ensures that serverless config is removed when KServe is enabled * chore: checks if service mesh is configured when serving is enabled * fix: returns error on fail to remove serverless * chore(dsci): attempts to reduce test flakyness * chore: removes misleading TODO * Fix Dockerfile Add new COPY statement, due to the new `infrastructure` directory Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> * chore: regenerates bundle --------- Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> Co-authored-by: Bartosz Majsak <bartosz.majsak@gmail.com> Co-authored-by: Cameron Garrison <cgarriso@redhat.com> * Disable Service Mesh IOR (opendatahub-io#738) This disables automatic OpenShift routes creation. Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> (cherry picked from commit 2c6f48c) * Add Defaults for new installs --------- Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com> Co-authored-by: Edgar Hernández <ehernand@redhat.com> Co-authored-by: Bartosz Majsak <bartosz.majsak@gmail.com> Co-authored-by: Cameron Garrison <cgarriso@redhat.com>
not sure why i got this message last night, but the code in the quote has been fixed in the incubation branch, unless you still see it in any of ODH nightly/downstream 2.5 build? |
how? |
Yes, the certificate:
secretName: knative-serving-cert
type: SelfSigned |
Fixes #666
Description
KServe pre-requisites are:
Fixes opendatahub-io/kserve#105
How Has This Been Tested?
Manual testing, for the most part.
Some instructions (targeted for the serving team): opendatahub-io/kserve#105 (comment)
Merge criteria: