add oauth-proxy to rawdeployments if odh auth label is present (#419)

* add oauth-proxy to rawdeployments if odh auth label is present
* remove ingress modifications
* bug fix
* consume oauth proxy params from configmap
* fix oauth proxy sar and minor bugs
* revert some unneeded changes
* add oauth proxy flag to prevent login page redirect on invalid request
* address feedback
* update to newer oauth proxy image
* minor fix
* fix unit test
* more feedback
* cookie secret
* test and other fixes
* fix lint issues
* address latest feedback
* missed import sort
* address more feedback
* bug fix
* fix lint error

cmd/manager/main.go

@@ -50,6 +50,7 @@ import (
 	v1beta1controller "github.com/kserve/kserve/pkg/controller/v1beta1/inferenceservice"
 	"github.com/kserve/kserve/pkg/webhook/admission/pod"
 	"github.com/kserve/kserve/pkg/webhook/admission/servingruntime"
+	routev1 "github.com/openshift/api/route/v1"
 )
 
 var (
@@ -187,7 +188,10 @@ func main() {
 			}
 		}
 	}
-
+	if err = routev1.AddToScheme(mgr.GetScheme()); err != nil {
+		setupLog.Error(err, "unable to add routev1 APIs to scheme")
+		os.Exit(1)
+	}
 	setupLog.Info("Setting up core scheme")
 	if err := v1.AddToScheme(mgr.GetScheme()); err != nil {
 		setupLog.Error(err, "unable to add Core APIs to scheme")

config/overlays/odh/inferenceservice-config-patch.yaml

@@ -5,6 +5,14 @@ metadata:
   namespace: kserve
 data:
   explainers: "{}"
+  oauthProxy: |- 
+    {
+      "image" : "$(oauth-proxy)",
+      "memoryRequest": "64Mi",
+      "memoryLimit": "128Mi",
+      "cpuRequest": "100m",
+      "cpuLimit": "200m"
+    }
   storageInitializer: |-
     {
         "image" : "$(kserve-storage-initializer)",

config/overlays/odh/kustomization.yaml

@@ -54,6 +54,13 @@ vars:
     apiVersion: v1
     kind: ConfigMap
     name: kserve-parameters
+- fieldref:
+    fieldpath: data.oauth-proxy
+  name: oauth-proxy
+  objref:
+    apiVersion: v1
+    kind: ConfigMap
+    name: kserve-parameters
 
 configurations:
   - params.yaml

config/overlays/odh/params.env

@@ -2,3 +2,4 @@ kserve-controller=quay.io/opendatahub/kserve-controller:latest
 kserve-agent=quay.io/opendatahub/kserve-agent:latest
 kserve-router=quay.io/opendatahub/kserve-router:latest
 kserve-storage-initializer=quay.io/opendatahub/kserve-storage-initializer:latest
+oauth-proxy=registry.redhat.io/openshift4/ose-oauth-proxy@sha256:234af927030921ab8f7333f61f967b4b4dee37a1b3cf85689e9e63240dd62800

config/rbac/role.yaml

@@ -111,6 +111,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - route.openshift.io
+  resources:
+  - routes
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - serving.knative.dev
   resources:

go.mod

@@ -18,6 +18,7 @@ require (
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/onsi/ginkgo/v2 v2.20.1
 	github.com/onsi/gomega v1.34.2
+	github.com/openshift/api v0.0.0-20241108213852-e22f17d9b7f5
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
@@ -30,18 +31,18 @@ require (
 	gopkg.in/go-playground/validator.v9 v9.31.0
 	istio.io/api v1.23.0
 	istio.io/client-go v1.23.0
-	k8s.io/api v0.30.4
-	k8s.io/apimachinery v0.30.4
-	k8s.io/client-go v0.30.4
-	k8s.io/code-generator v0.30.4
+	k8s.io/api v0.31.2
+	k8s.io/apimachinery v0.31.2
+	k8s.io/client-go v0.31.0
+	k8s.io/code-generator v0.31.0
 	k8s.io/component-helpers v0.30.4
 	k8s.io/klog v1.0.0
 	k8s.io/kube-openapi v0.0.0-20240827152857-f7e401e7b4c2
 	k8s.io/utils v0.0.0-20240821151609-f90d01438635
 	knative.dev/networking v0.0.0-20240815142417-37fdbdd0854b
 	knative.dev/pkg v0.0.0-20240815051656-89743d9bbf7c
 	knative.dev/serving v0.42.2
-	sigs.k8s.io/controller-runtime v0.18.5
+	sigs.k8s.io/controller-runtime v0.19.1
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -59,9 +60,9 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
-	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -107,6 +108,7 @@ require (
 	github.com/prometheus/statsd_exporter v0.27.1 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
@@ -130,11 +132,12 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240827150818-7e3bb234dfed // indirect
 	google.golang.org/grpc v1.66.0 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.30.4 // indirect
+	k8s.io/apiextensions-apiserver v0.31.0 // indirect
 	k8s.io/gengo/v2 v2.0.0-20240826214909-a7b603a56eb7 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect