feat(kserve): automates installation and configuration of KServe prerequisites

[israel-hdez]

Fixes #666

Description

KServe pre-requisites are:

• Service Mesh (Istio)
  • A minimal Control Plane is configured for KServe with only Pilot and default gateways.
  • An additional knative: ingressgateway is set for the Istio Ingress gateway workload.
  • Some ports are excluded from envoy to allow for metrics collection and KNative hooks.
  • Metrics collection is configured for Pilot and the gateways.
• Serverless (KNative)
  • Only serving components are needed from KNative.
  • For the most part, a typical Serving deployment is configured, with Istio as networking layer.
  • By default, a self-signed certificate is generated using the OpenShift Ingress domain. Users can provide their own secret with a production ready TLS certificate.

Fixes opendatahub-io/kserve#105

How Has This Been Tested?

Manual testing, for the most part.

Some instructions (targeted for the serving team): opendatahub-io/kserve#105 (comment)

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[zdtsw]

ref #666

[bartoszmajsak]

Thanks for all the great work! I have shared a few things worth considering before we merge it.

FWIW: There are some tests you might want to include as part of this PR (and perhaps write some more) - have a look here https://github.com/maistra/opendatahub-operator/blob/service-mesh-integration/tests/integration/servicemesh/service_mesh_setup_features_int_test.go

[israel-hdez]

FWIW: There are some tests you might want to include as part of this PR (and perhaps write some more) - have a look here https://github.com/maistra/opendatahub-operator/blob/service-mesh-integration/tests/integration/servicemesh/service_mesh_setup_features_int_test.go

@bartoszmajsak Definitely! Let me work on the tests on my Tuesday.

Although, I'll let the operator team to decide if we are good to merge while I work on the tests. I know there is a scheduled release planned for this week.

[israel-hdez]

/retest

[israel-hdez]

@Jooho this is ready for testing.
I will work on units, in the meantime.

[bartoszmajsak]

I wonder if we can't pull maistra/api for this purpose? https://github.com/maistra/istio-operator/blob/d922eece2343343e27016ea0d498bda36bfa64d8/pkg/apis/maistra/v2/security.go#L202-L209

One big question I have in mind is that with these kind of settings, we are drifting away from a potential support of upstream Istio and locking it to Opesnhift Service Mesh.

[israel-hdez]

This options seems to be related to this: https://istio.io/latest/docs/ops/best-practices/security/#configure-third-party-service-account-tokens.

If it is, I think it still would be applicable to upstream.

Upstream docs seem to have a hint about automating this: looks like a check against the TokenRequest API would tell if we can use ThirdParty. Perhaps we should set this to ThirdParty unless the TokenRequest API is not available. From those upstream docs, it looks like ThirdParty should be preferred over first party. Although, I'm not sure what really would be the recommendation on Maistra.

[bartoszmajsak]

It is related, but wrapped in Maistra config/objects. How did you test it thus far without this feature as it is defaulting to Kubernetes (first-party-jwt)?

[israel-hdez]

I mainly use a non-ROSA cluster, so first party tokens are OK.
And... well... I haven't tested this on ROSA. I'm just trusting this change would be enough on ROSA.

[zdtsw]

i set it to ThirdParty in my ROSA cluster and it created the 3 featuretrackers ( not enable monitoring one)
previously when not set it (fall back to Kubernetes) had issue to set FTer up

[bartoszmajsak]

Conclusion: we will document this scenario rather than expose it as a config in DSCI. Relevant docs on OSSM side: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html-single/service_mesh/index#ossm-install-rosa_ossm-create-smcp

/cc @danielezonca

[bartoszmajsak]

FWIW: There are some tests you might want to include as part of this PR (and perhaps write some more) - have a look here maistra/opendatahub-operator@service-mesh-integration/tests/integration/servicemesh/service_mesh_setup_features_int_test.go

@bartoszmajsak Definitely! Let me work on the tests on my Tuesday.

Although, I'll let the operator team to decide if we are good to merge while I work on the tests. I know there is a scheduled release planned for this week.

@zdtsw @VaishnaviHire It's essential that we establish a consensus on key principles moving forward. From my perspective, every significant modification should come with automated tests. Without this, we not only waste valuable time on manual verification but also do not build safety net against potential regressions. The V2 overhaul presents us with an excellent chance to lay down a foundation of high-quality codebase. This, in turn, will enable us to develop exceptional tools for OpenDataHub moving forward.

[israel-hdez]

Pushed commit to fix @zdtsw comments.

[zdtsw]

When creating a DSC, the spec by default does not contain kserve.serving which is needed for enabling Kserve/Service-Mesh (i.e. kserve.serving.managementState: Managed). It would be more efficient to include kserve.serving by default.

I see 2 approaches:

1. have serverless config under Kserve by default but set to Removed to both by default in ODH => what we have in the PR
2. do not have serverless config under Kserve by default, this will ask users to do the configs of serverless by themselves (not just a flip of Removed to Managed in the state) => as Matt suggested to make the enablement easiler

@danielezonca @israel-hdez @VaishnaviHire @bartoszmajsak
i dont think this will be a "must-done" to get the PR in, we can have a follow-up if everyone feels (2) is better for user.

[bartoszmajsak]

When creating a DSC, the spec by default does not contain kserve.serving which is needed for enabling Kserve/Service-Mesh (i.e. kserve.serving.managementState: Managed). It would be more efficient to include kserve.serving by default.

I see 2 approaches:

1. have serverless config under Kserve by default but set to Removed to both by default in ODH => what we have in the PR
2. do not have serverless config under Kserve by default, this will ask users to do the configs of serverless by themselves (not just a flip of Removed to Managed in the state) => as Matt suggested to make the enablement easiler

@danielezonca @israel-hdez @VaishnaviHire @bartoszmajsak i dont think this will be a "must-done" to get the PR in, we can have a follow-up if everyone feels (2) is better for user.

If we decide to make it all enabled by default it will mean having service mesh config enabled by default in DSCI too. I cannot answer from the requirements perspective what is preferred way. Perhaps @danielezonca can.

With that said I would rather make an issue and raise another PR as it seems like an improvement to me rather than an important fix.

[zdtsw]

to update:
from my live-build (of the latest commits from 13th Nov evening)
default-dsc was auto created with config like this:

[zdtsw]

/lgtm

[zdtsw]

forgot to add my screenshot after the test
to make it easier, only enabled kserve here

[VaishnaviHire]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bartoszmajsak, cam-garrison, spolti, VaishnaviHire, zdtsw

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [VaishnaviHire]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zdtsw]

Btw, did someone try to run the operator build from this PR with the following DSC?

apiVersion: datasciencecluster.opendatahub.io/v1
kind: DataScienceCluster
metadata:
  name: example
  labels:
    app.kubernetes.io/name: datasciencecluster
spec:
  components:
    kserve:
      managementState: Managed

Results it:

2023-11-10T17:23:21Z DEBUG events DataScienceCluster instance example created, but have some failures in component 1 error occurred:
* DSCInitialization.dscinitialization.opendatahub.io "default" not found

The operator is creating the dsci as default-dsci. It seems to be changed by this pr: #708
Maybe this PR needs a rebase or?

correct. we need to to rebase this PR before testing it.

@spolti @zdtsw @VaishnaviHire The error is not affecting functionality of this PR. Yet, the error is present despite fetching changes from incubation branch.

I debugged a little bit, and found the hard-coded constant here:

opendatahub-operator/components/modelmeshserving/modelmeshserving.go

Line 142 in da25fa5

Name: "default",

.
Probably, it is worth to fix, before the freeze.

not sure why i got this message last night, but the code in the quote has been fixed in the incubation branch, unless you still see it in any of ODH nightly/downstream 2.5 build?

[bdattoma]

@israel-hdez

Users can provide their own secret with a production ready TLS certificate.

how?
EDIT. I guess by setting a secret name like done in the instruction godc

[israel-hdez]

@israel-hdez

Users can provide their own secret with a production ready TLS certificate.

how? EDIT. I guess by setting a secret name like done in the instruction godc

Yes, the secretName shown in the document is the default name.
You would need to use type: Provided if you want to use your own. Then, you will need to manually create the TLS secret with the specified name containing the certificate.

certificate:
  secretName: knative-serving-cert
  type: SelfSigned