From 96750125cd6418d283c174e3f83aa6c7417ac29c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?=
 <23639005+israel-hdez@users.noreply.github.com>
Date: Sun, 3 Nov 2024 17:04:02 -0600
Subject: [PATCH] Trust OpenShift service CA in kserve-router
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This changes kserve-controller to mount the OpenShift Service CA bundle into kserve-router container and a configures it to trust the bundle. This affects InferenceGraph deployed in Serverless mode.

With these changes, InferenceGraphs will work correctly when deployed without an Istio sidecar.

These changes are needed because in ODH the InferenceServices are secured with TLS. The internal endpoints (which are the ones InferenceGraph uses) are using OpenShift service serving certificates.

Related to: https://issues.redhat.com/browse/RHOAIENG-13448

Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
---
 pkg/constants/constants.go                    |  5 ++
 .../inferencegraph/controller_test.go         | 66 +++++++++++++++++++
 .../inferencegraph/knative_reconciler.go      | 34 ++++++++--
 3 files changed, 100 insertions(+), 5 deletions(-)

diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
index 97543756fa7..0992bdff19c 100644
--- a/pkg/constants/constants.go
+++ b/pkg/constants/constants.go
@@ -496,6 +496,11 @@ var (
 	MultiNodeHead         = "head"
 )
 
+// OpenShift constants
+const (
+	OpenShiftServiceCaConfigMapName = "openshift-service-ca.crt"
+)
+
 // GetRawServiceLabel generate native service label
 func GetRawServiceLabel(service string) string {
 	return "isvc." + service
diff --git a/pkg/controller/v1alpha1/inferencegraph/controller_test.go b/pkg/controller/v1alpha1/inferencegraph/controller_test.go
index 5ee18d38dbd..a2634dda740 100644
--- a/pkg/controller/v1alpha1/inferencegraph/controller_test.go
+++ b/pkg/controller/v1alpha1/inferencegraph/controller_test.go
@@ -147,6 +147,10 @@ var _ = Describe("Inference Graph controller test", func() {
 										{
 											Image: "kserve/router:v0.10.0",
 											Env: []v1.EnvVar{
+												{
+													Name:  "SSL_CERT_FILE",
+													Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
+												},
 												{
 													Name:  "PROPAGATE_HEADERS",
 													Value: "Authorization,Intuit_tid",
@@ -175,9 +179,27 @@ var _ = Describe("Inference Graph controller test", func() {
 													Drop: []v1.Capability{v1.Capability("ALL")},
 												},
 											},
+											VolumeMounts: []v1.VolumeMount{
+												{
+													Name:      "openshift-service-ca-bundle",
+													MountPath: "/etc/odh/openshift-service-ca-bundle",
+												},
+											},
 										},
 									},
 									AutomountServiceAccountToken: proto.Bool(false),
+									Volumes: []v1.Volume{
+										{
+											Name: "openshift-service-ca-bundle",
+											VolumeSource: v1.VolumeSource{
+												ConfigMap: &v1.ConfigMapVolumeSource{
+													LocalObjectReference: v1.LocalObjectReference{
+														Name: constants.OpenShiftServiceCaConfigMapName,
+													},
+												},
+											},
+										},
+									},
 								},
 							},
 						},
@@ -283,6 +305,10 @@ var _ = Describe("Inference Graph controller test", func() {
 										{
 											Image: "kserve/router:v0.10.0",
 											Env: []v1.EnvVar{
+												{
+													Name:  "SSL_CERT_FILE",
+													Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
+												},
 												{
 													Name:  "PROPAGATE_HEADERS",
 													Value: "Authorization,Intuit_tid",
@@ -311,9 +337,27 @@ var _ = Describe("Inference Graph controller test", func() {
 													Drop: []v1.Capability{v1.Capability("ALL")},
 												},
 											},
+											VolumeMounts: []v1.VolumeMount{
+												{
+													Name:      "openshift-service-ca-bundle",
+													MountPath: "/etc/odh/openshift-service-ca-bundle",
+												},
+											},
 										},
 									},
 									AutomountServiceAccountToken: proto.Bool(false),
+									Volumes: []v1.Volume{
+										{
+											Name: "openshift-service-ca-bundle",
+											VolumeSource: v1.VolumeSource{
+												ConfigMap: &v1.ConfigMapVolumeSource{
+													LocalObjectReference: v1.LocalObjectReference{
+														Name: constants.OpenShiftServiceCaConfigMapName,
+													},
+												},
+											},
+										},
+									},
 								},
 							},
 						},
@@ -433,6 +477,10 @@ var _ = Describe("Inference Graph controller test", func() {
 										{
 											Image: "kserve/router:v0.10.0",
 											Env: []v1.EnvVar{
+												{
+													Name:  "SSL_CERT_FILE",
+													Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
+												},
 												{
 													Name:  "PROPAGATE_HEADERS",
 													Value: "Authorization,Intuit_tid",
@@ -461,6 +509,12 @@ var _ = Describe("Inference Graph controller test", func() {
 													Drop: []v1.Capability{v1.Capability("ALL")},
 												},
 											},
+											VolumeMounts: []v1.VolumeMount{
+												{
+													Name:      "openshift-service-ca-bundle",
+													MountPath: "/etc/odh/openshift-service-ca-bundle",
+												},
+											},
 										},
 									},
 									Affinity: &v1.Affinity{
@@ -487,6 +541,18 @@ var _ = Describe("Inference Graph controller test", func() {
 										},
 									},
 									AutomountServiceAccountToken: proto.Bool(false),
+									Volumes: []v1.Volume{
+										{
+											Name: "openshift-service-ca-bundle",
+											VolumeSource: v1.VolumeSource{
+												ConfigMap: &v1.ConfigMapVolumeSource{
+													LocalObjectReference: v1.LocalObjectReference{
+														Name: constants.OpenShiftServiceCaConfigMapName,
+													},
+												},
+											},
+										},
+									},
 								},
 							},
 						},
diff --git a/pkg/controller/v1alpha1/inferencegraph/knative_reconciler.go b/pkg/controller/v1alpha1/inferencegraph/knative_reconciler.go
index b61790bbd1b..2caf8dac1a4 100644
--- a/pkg/controller/v1alpha1/inferencegraph/knative_reconciler.go
+++ b/pkg/controller/v1alpha1/inferencegraph/knative_reconciler.go
@@ -203,6 +203,30 @@ func createKnativeService(componentMeta metav1.ObjectMeta, graph *v1alpha1api.In
 											Drop: []v1.Capability{v1.Capability("ALL")},
 										},
 									},
+									VolumeMounts: []v1.VolumeMount{
+										{
+											Name:      "openshift-service-ca-bundle",
+											MountPath: "/etc/odh/openshift-service-ca-bundle",
+										},
+									},
+									Env: []v1.EnvVar{
+										{
+											Name:  "SSL_CERT_FILE",
+											Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
+										},
+									},
+								},
+							},
+							Volumes: []v1.Volume{
+								{
+									Name: "openshift-service-ca-bundle",
+									VolumeSource: v1.VolumeSource{
+										ConfigMap: &v1.ConfigMapVolumeSource{
+											LocalObjectReference: v1.LocalObjectReference{
+												Name: constants.OpenShiftServiceCaConfigMapName,
+											},
+										},
+									},
 								},
 							},
 							Affinity:                     graph.Spec.Affinity,
@@ -217,12 +241,12 @@ func createKnativeService(componentMeta metav1.ObjectMeta, graph *v1alpha1api.In
 	// Only adding this env variable "PROPAGATE_HEADERS" if router's headers config has the key "propagate"
 	value, exists := config.Headers["propagate"]
 	if exists {
-		service.Spec.ConfigurationSpec.Template.Spec.PodSpec.Containers[0].Env = []v1.EnvVar{
-			{
-				Name:  constants.RouterHeadersPropagateEnvVar,
-				Value: strings.Join(value, ","),
-			},
+		propagateEnv := v1.EnvVar{
+			Name:  constants.RouterHeadersPropagateEnvVar,
+			Value: strings.Join(value, ","),
 		}
+
+		service.Spec.ConfigurationSpec.Template.Spec.PodSpec.Containers[0].Env = append(service.Spec.ConfigurationSpec.Template.Spec.PodSpec.Containers[0].Env, propagateEnv)
 	}
 	return service
 }