add oauth-proxy to rawdeployments if odh auth label is present

[VedantMahabaleshwarkar]

What this PR does / why we need it:

This PR adds the following :

• If the isvc has label "security.opendatahub.io/enable-auth" = "true"
  -- an oauth proxy container is added to the deployment
  -- http port is replaced by https port in the service
  -- "service.beta.openshift.io/serving-cert-secret-name" is added to the service to allow creation of the tls secret
• Modified the kserve raw deployment spec to use the kserve-sa service account (previously no SA was specified, the default SA was used)
• This is needed so that oauth proxy can use the kserve-sa service account to perform auth delegation.
• The service account, CRB and Route are created in Add reconciliation for Kserve Raw odh-model-controller#274

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes # https://issues.redhat.com/browse/RHOAIENG-10291, https://issues.redhat.com/browse/RHOAIENG-13444
TEST WITH: opendatahub-io/odh-model-controller#274

Type of changes
Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Feature/Issue validation/testing:

• Deploy ODH/RHOAI:
• Install the DSC (kserve spec below) :

    kserve:
      defaultDeploymentMode: RawDeployment
      devFlags:
        manifests:
          - contextDir: config
            sourcePath: overlays/odh
            uri: 'https://github.com/VedantMahabaleshwarkar/kserve/tarball/devflags'
          - contextDir: config
            sourcePath: ''
            uri: 'https://github.com/VedantMahabaleshwarkar/odh-model-controller/tarball/devflags'
      managementState: Managed
      serving:
        ingressGateway:
          certificate:
            type: OpenshiftDefaultIngress
        managementState: Managed
        name: knative-serving

• To test enabling route for a particular ISVC
  -- Create any kserve isvc+SR
  -- isvc should have annotation : "serving.kserve.io/deploymentMode" : RawDeployment
  -- isvc should have label : "networking.kserve.io/visibility": "enable-route"

• To test route with auth:
  -- Create any kserve isvc+SR
  -- isvc should have annotation : "serving.kserve.io/deploymentMode" : RawDeployment
  -- isvc should have label: "security.opendatahub.io/enable-auth" = "true"
  -- isvc should have label: "networking.kserve.io/visibility": "enable-route"

• To test Inference without auth:
  -- remove isvc label "security.opendatahub.io/enable-auth" = "true"

Now inference should work without token

1. Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

Checklist:

• Have you added unit/e2e tests that prove your fix is effective or that this feature works?
• Has code been commented, particularly in hard-to-understand areas?
• Have you made corresponding changes to the documentation?

Release note:

Added oauth-proxy authentication for Kserve RawDeployment Routes

Re-running failed tests

• /rerun-all - rerun all failed workflows.
• /rerun-workflow <workflow name> - rerun a specific failed workflow. Only one workflow name can be specified. Multiple /rerun-workflow commands are allowed per comment.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: VedantMahabaleshwarkar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [VedantMahabaleshwarkar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[VedantMahabaleshwarkar]

tests passing locally, the failures look like test infra failures

/retest-required

[terrytangyuan]

Is commenting these out intentional?

[VedantMahabaleshwarkar]

fixed in update

[terrytangyuan]

These are still commented out?

[israel-hdez]

Yes, I'm still seeing comments here...

[terrytangyuan]

Do we need to expose this config? e.g. any updates in the image would require code change in KServe

[VedantMahabaleshwarkar]

we don't update this oauth proxy image very frequently at all, but do you think I should add it to the configmap and try to consume it from there?

[israel-hdez]

It is better exposing the config, as it allow users quickly moving to another image in case this one becomes vulnerable.

Also, all the other Oauth related constants should be exposed. These should be defaults and users should be capable of customizing, since we don't know how much load there will be which would determine the amount of memory and CPU to be assigned.

[VedantMahabaleshwarkar]

Done, kept these constants as fallback values but PR includes changes to the kserve manifests where the oauth proxy params are defined

[terrytangyuan]

Thanks! LGTM

[israel-hdez]

See my other comment: https://github.com/opendatahub-io/kserve/pull/419/files#r1805239200

[VedantMahabaleshwarkar]

/retest-required

[VedantMahabaleshwarkar]

not sure what's happening with the tests, they are passing locally :(

[israel-hdez]

Please, revert this file.

[israel-hdez]

(bump)

[israel-hdez]

It is better exposing the config, as it allow users quickly moving to another image in case this one becomes vulnerable.

Also, all the other Oauth related constants should be exposed. These should be defaults and users should be capable of customizing, since we don't know how much load there will be which would determine the amount of memory and CPU to be assigned.

[israel-hdez]

For the liveness and readiness probes, instead of being fixed, you should inspect the ISVC and extract the configured paths.

[VedantMahabaleshwarkar]

I didn't get why we should do this. For the modelmesh oauth proxy injection the oauth proxy probes are fixed. Even here the kserve container and the oauth proxy container will report statuses independently so I'm not seeing why we should change the probes here

[VedantMahabaleshwarkar]

the e2e raw test failure is because https://github.com/opendatahub-io/kserve/blob/master/test/scripts/openshift-ci/run-e2e-tests.sh needs to be updated with the new behavior. Imo it can be ignored now can will be fixed later in https://issues.redhat.com/browse/RHOAIENG-14604

[terrytangyuan]

These are still commented out?

[terrytangyuan]

Thanks! LGTM

[terrytangyuan]

Imports are not sorted and grouped

[terrytangyuan]

There might be a constant from netv1 for "Admitted"

[openshift-ci]

@VedantMahabaleshwarkar: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-raw	693027b	link	true	/test e2e-raw

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[israel-hdez]

Yes, I'm still seeing comments here...

[israel-hdez]

This image is extremely old, and with F health: https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?image=6306f12280cc9b3291272668&architecture=amd64

Please, use a newer one.

[israel-hdez]

(bump)

[israel-hdez]

Following up #419 (comment).

These are not the probes, but paths that would be left unprotected.

Now... I'm thinking that you are right on your comment that Kubernetes is going to do the probing on the container. With that in mind, I'm not sure why we should have unprotected paths. So, maybe, remove the --skip-auth-regex argument?

[israel-hdez]

Please, follow-up my comment of the previous review round: #419 (comment)

[israel-hdez]

Handle appropriately the not found error.

[israel-hdez]

Slightly better to check if route.Spec.tls.termination is populated

[israel-hdez]

This reconciler is used for predictors, explainers, transformers and also the inference graph. So, it is going to be neccesary to use the name as is in componentMeta.Name rather than the name of the inference service. Otherwise, you will have several Services generating different certificates, for different FQDN, and trying to store such certificate to the same Secret, leading to conflicts.

Additionally, I'd recommend, adding a suffix like -serving-cert .

[israel-hdez]

From

kserve/pkg/controller/v1beta1/inferenceservice/reconcilers/service/service_reconciler.go

Lines 70 to 110 in 4add27b

	if len(container.Ports) > 0 {
	var servicePort corev1.ServicePort
	servicePort = corev1.ServicePort{
	Name: container.Ports[0].Name,
	Port: constants.CommonDefaultHttpPort,
	TargetPort: intstr.IntOrString{
	Type: intstr.Int,
	IntVal: container.Ports[0].ContainerPort,
	},
	Protocol: container.Ports[0].Protocol,
	}
	servicePorts = append(servicePorts, servicePort)
	for i := 1; i < len(container.Ports); i++ {
	port := container.Ports[i]
	if port.Protocol == "" {
	port.Protocol = corev1.ProtocolTCP
	}
	servicePort = corev1.ServicePort{
	Name: port.Name,
	Port: port.ContainerPort,
	TargetPort: intstr.IntOrString{
	Type: intstr.Int,
	IntVal: port.ContainerPort,
	},
	Protocol: port.Protocol,
	}
	servicePorts = append(servicePorts, servicePort)
	}
	} else {
	port, _ := strconv.Atoi(constants.InferenceServiceDefaultHttpPort)
	servicePorts = append(servicePorts, corev1.ServicePort{
	Name: componentMeta.Name,
	Port: constants.CommonDefaultHttpPort,
	TargetPort: intstr.IntOrString{
	Type: intstr.Int,
	IntVal: int32(port), // #nosec G109
	},
	Protocol: corev1.ProtocolTCP,
	})
	}

, looks like the CommonDefaultHttpPort entry should be present always, and it is going to be the first entry always. So, I think you can simply mutate service.Spec.Ports[0] and change the target port...

...sorry, I know that I said about being defensive in my previous comment.

[israel-hdez]

Looks like the upstream is always configured to the predictor container (the runtime). But when observing here:

kserve/pkg/controller/v1beta1/inferenceservice/reconcilers/service/service_reconciler.go

Lines 112 to 123 in 4add27b

	if componentExt != nil && componentExt.Batcher != nil {
	servicePorts[0].TargetPort = intstr.IntOrString{
	Type: intstr.Int,
	IntVal: constants.InferenceServiceDefaultAgentPort,
	}
	}
	if componentExt != nil && componentExt.Logger != nil {
	servicePorts[0].TargetPort = intstr.IntOrString{
	Type: intstr.Int,
	IntVal: constants.InferenceServiceDefaultAgentPort,
	}
	}

I can see that the Service is choosing between the agent container and the predictor container. Since when auth is enabled, that Service will be moved to oauth-proxy, there should be an equivalent logic here, so that oauth-proxy chooses between the predictor and the agent container.

By setting it fixed to the predictor, the agent container can be bypassed, leading to batching and logging features to stop working when enabling auth. The logging feature is being used by TrustyAI team, so I think we should ensure logging still works.

[israel-hdez]

Perhaps, contribute this one to upstream?

[israel-hdez]

I'm not seeing right to change the default service account. It could be considered backwards incompatible.

[israel-hdez]

Add unit tests for the routes.

[israel-hdez]

If the CommonDefaultHttpPort is going away, I think you should reflect in the Status of the ISVC the right port to reach.