Merge pull request #215 from israel-hdez/r012-main-sync

Sync main -> release-0.12.0
opendatahub-io · May 31, 2024 · 25be57d · 25be57d
2 parents af1c13e + 659e3db
commit 25be57d
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 21 deletions.
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -3,3 +3,6 @@ bases:
   - ../manager
   - ../webhook
   - ../runtimes
+
+resources:
+  - networkpolicy.yaml
diff --git a/config/default/networkpolicy.yaml b/config/default/networkpolicy.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: odh-model-controller
+spec:
+  ingress:
+    - ports:
+      - port: 9443
+        protocol: TCP
+  podSelector:
+    matchLabels:
+      app: odh-model-controller
+      control-plane: odh-model-controller
diff --git a/controllers/inferenceservice_controller.go b/controllers/inferenceservice_controller.go
@@ -155,16 +155,17 @@ func (r *OpenshiftInferenceServiceReconciler) SetupWithManager(mgr ctrl.Manager)
 		r.log.V(1).Error(kserveWithMeshEnabledErr, "could not determine if kserve have service mesh enabled")
 	}
 
-	authorinoEnabled, capabilityErr := utils.VerifyIfMeshAuthorizationIsEnabled(context.Background(), r.client)
-	if capabilityErr != nil {
-		r.log.V(1).Error(capabilityErr, "could not determine if Authorino is enabled")
+	isAuthConfigAvailable, crdErr := utils.IsCrdAvailable(mgr.GetConfig(), authorinov1beta2.GroupVersion.String(), "AuthConfig")
+	if crdErr != nil {
+		r.log.V(1).Error(crdErr, "could not determine if AuthConfig CRD is available")
+		return crdErr
 	}
 
-	if kserveWithMeshEnabled && authorinoEnabled {
-		r.log.Info("KServe with Service Mesh is enabled and Authorino is registered, enabling Authorization")
+	if kserveWithMeshEnabled && isAuthConfigAvailable {
+		r.log.Info("KServe is enabled and AuthConfig CRD is available, watching AuthConfigs")
 		builder.Owns(&authorinov1beta2.AuthConfig{})
 	} else if kserveWithMeshEnabled {
-		r.log.Info("Using KServe with Service Mesh, but Authorino is not installed - skipping authorization.")
+		r.log.Info("Using KServe with Service Mesh, but AuthConfig CRD is not installed - skipping AuthConfigs watches.")
 	} else {
 		r.log.Info("Didn't find KServe with Service Mesh.")
 	}

diff --git a/controllers/utils/init.go b/controllers/utils/init.go
@@ -3,6 +3,7 @@ package utils
 import (
 	kservev1alpha1 "github.com/kserve/kserve/pkg/apis/serving/v1alpha1"
 	kservev1beta1 "github.com/kserve/kserve/pkg/apis/serving/v1beta1"
+	authorinov1beta2 "github.com/kuadrant/authorino/api/v1beta2"
 	routev1 "github.com/openshift/api/route/v1"
 	monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	istiosecurityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
@@ -32,6 +33,7 @@ func RegisterSchemes(s *runtime.Scheme) {
 	utilruntime.Must(telemetryv1alpha1.AddToScheme(s))
 	utilruntime.Must(maistrav1.SchemeBuilder.AddToScheme(s))
 	utilruntime.Must(knservingv1.AddToScheme(s))
+	utilruntime.Must(authorinov1beta2.SchemeBuilder.AddToScheme(s))
 
 	// The following are related to Service Mesh, uncomment this and other
 	// similar blocks to use with Service Mesh

diff --git a/controllers/utils/utils.go b/controllers/utils/utils.go
@@ -4,16 +4,20 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"github.com/kuadrant/authorino/pkg/log"
 	"os"
 	"reflect"
 
 	kservev1beta1 "github.com/kserve/kserve/pkg/apis/serving/v1beta1"
+	"github.com/kuadrant/authorino/pkg/log"
 	v1beta12 "istio.io/api/security/v1beta1"
 	"istio.io/client-go/pkg/apis/security/v1beta1"
 	corev1 "k8s.io/api/core/v1"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/opendatahub-io/odh-model-controller/controllers/constants"
@@ -25,6 +29,8 @@ var (
 	Serverless    IsvcDeploymentMode = "Serverless"
 	RawDeployment IsvcDeploymentMode = "RawDeployment"
 	ModelMesh     IsvcDeploymentMode = "ModelMesh"
+
+	gvResourcesCache map[string]*metav1.APIResourceList
 )
 
 const (
@@ -271,3 +277,62 @@ func getDSCIObject(ctx context.Context, cli client.Client) (*unstructured.Unstru
 
 	return objectList, nil
 }
+
+// IsCrdAvailable checks if a given CRD is present in the cluster by verifying the
+// existence of its API.
+func IsCrdAvailable(config *rest.Config, groupVersion, kind string) (bool, error) {
+	gvResources, err := GetAvailableResourcesForApi(config, groupVersion)
+	if err != nil {
+		return false, err
+	}
+
+	found := false
+	if gvResources != nil {
+		for _, crd := range gvResources.APIResources {
+			if crd.Kind == kind {
+				found = true
+				break
+			}
+		}
+	}
+
+	return found, nil
+}
+
+// GetAvailableResourcesForApi returns the list of discovered resources that belong
+// to the API specified in groupVersion. The first query to a specifig groupVersion will
+// query the cluster API server to discover the available resources and the discovered
+// resources will be cached and returned to subsequent invocations to prevent additional
+// queries to the API server.
+func GetAvailableResourcesForApi(config *rest.Config, groupVersion string) (*metav1.APIResourceList, error) {
+	var gvResources *metav1.APIResourceList
+	var ok bool
+
+	if gvResources, ok = gvResourcesCache[groupVersion]; !ok {
+		discoveryClient, newClientErr := discovery.NewDiscoveryClientForConfig(config)
+		if newClientErr != nil {
+			return nil, newClientErr
+		}
+
+		var getGvResourcesErr error
+		gvResources, getGvResourcesErr = discoveryClient.ServerResourcesForGroupVersion(groupVersion)
+		if getGvResourcesErr != nil && !apierr.IsNotFound(getGvResourcesErr) {
+			return nil, getGvResourcesErr
+		}
+
+		SetAvailableResourcesForApi(groupVersion, gvResources)
+	}
+
+	return gvResources, nil
+}
+
+// SetAvailableResourcesForApi stores the value fo resources argument in the global cache
+// of discovered API resources. This function should never be called directly. It is exported
+// for usage in tests.
+func SetAvailableResourcesForApi(groupVersion string, resources *metav1.APIResourceList) {
+	if gvResourcesCache == nil {
+		gvResourcesCache = make(map[string]*metav1.APIResourceList)
+	}
+
+	gvResourcesCache[groupVersion] = resources
+}
diff --git a/main.go b/main.go
@@ -22,15 +22,12 @@ import (
 	"os"
 	"strconv"
 
-	authorinov1beta2 "github.com/kuadrant/authorino/api/v1beta2"
-
 	// to ensure that exec-entrypoint and run can make use of them.
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 
 	"istio.io/client-go/pkg/apis/security/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	knservingv1 "knative.dev/serving/pkg/apis/serving/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -198,17 +195,6 @@ func main() {
 		setupLog.Info("Skipping setup of Knative Service validating Webhook, because KServe Serverless setup seems to be disabled in the DataScienceCluster resource.")
 	}
 
-	authorinoEnabled, capabilityErr := utils.VerifyIfMeshAuthorizationIsEnabled(context.Background(), mgr.GetClient())
-	if capabilityErr != nil {
-		setupLog.Error(capabilityErr, "unable to determine if Authorino is enabled")
-		os.Exit(1)
-	}
-	if kserveWithMeshEnabled && authorinoEnabled {
-		utilruntime.Must(authorinov1beta2.SchemeBuilder.AddToScheme(scheme))
-	} else {
-		setupLog.Info("Authorino is not enabled, skipping handling")
-	}
-
 	//+kubebuilder:scaffold:builder
 
 	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {