[release-v0.15] Back-porting fixes for InferenceGraph (#648)

* Fix IG readiness probe

KServe project has added readiness probes to raw IG. ODH fork needs the following adaptations:
* The HTTP server has TLS. Thus, the readiness probe needs to be configured with HTTPS.
* When auth is enabled, the /readyz endpoint should bypass auth check.

Signed-off-by: Edgar Hernández <[email protected]>

* Fix Raw InferenceGraph not connecting to ISVCs (#581)

This is an ODH/OpenShift-specific fix. Since the InferenceServices can be protected under TLS, the InferenceGraph workload requires to trust OpenShift Serving certificates. This fixes kserve-contoller to properly configure the IG router workload to trust needed certificates so that connections succeed.

Signed-off-by: Edgar Hernández <[email protected]>

* Adapt unit tests for ODH

Signed-off-by: Edgar Hernández <[email protected]>

---------

Signed-off-by: Edgar Hernández <[email protected]>
Co-authored-by: Edgar Hernández <[email protected]>
Co-authored-by: Edgar Hernández <[email protected]>

Author: openshift-cherrypick-robot

cmd/router/main.go

@@ -609,8 +609,8 @@ func main() {
 		log.Info("This Router has authorization enabled")
 	}
 
-	http.Handle("/", entrypointHandler)
 	http.HandleFunc(constants.RouterReadinessEndpoint, readyHandler)
+	http.Handle("/", entrypointHandler)
 
 	server := &http.Server{
 		Addr:         ":8080",         // specify the address and port

pkg/controller/v1alpha1/inferencegraph/raw_ig.go

@@ -83,6 +83,30 @@ func createInferenceGraphPodSpec(graph *v1alpha1.InferenceGraph, config *RouterC
 						Drop: []corev1.Capability{corev1.Capability("ALL")},
 					},
 				},
+				VolumeMounts: []corev1.VolumeMount{
+					{
+						Name:      "openshift-service-ca-bundle",
+						MountPath: "/etc/odh/openshift-service-ca-bundle",
+					},
+				},
+				Env: []corev1.EnvVar{
+					{
+						Name:  "SSL_CERT_FILE",
+						Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
+					},
+				},
+			},
+		},
+		Volumes: []corev1.Volume{
+			{
+				Name: "openshift-service-ca-bundle",
+				VolumeSource: corev1.VolumeSource{
+					ConfigMap: &corev1.ConfigMapVolumeSource{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: constants.OpenShiftServiceCaConfigMapName,
+						},
+					},
+				},
 			},
 		},
 		Affinity:                     graph.Spec.Affinity,
@@ -98,12 +122,12 @@ func createInferenceGraphPodSpec(graph *v1alpha1.InferenceGraph, config *RouterC
 	// Only adding this env variable "PROPAGATE_HEADERS" if router's headers config has the key "propagate"
 	value, exists := config.Headers["propagate"]
 	if exists {
-		podSpec.Containers[0].Env = []corev1.EnvVar{
-			{
-				Name:  constants.RouterHeadersPropagateEnvVar,
-				Value: strings.Join(value, ","),
-			},
+		propagateEnv := corev1.EnvVar{
+			Name:  constants.RouterHeadersPropagateEnvVar,
+			Value: strings.Join(value, ","),
 		}
+
+		podSpec.Containers[0].Env = append(podSpec.Containers[0].Env, propagateEnv)
 	}
 
 	// If auth is enabled for the InferenceGraph:
@@ -128,6 +152,9 @@ func createInferenceGraphPodSpec(graph *v1alpha1.InferenceGraph, config *RouterC
 		podSpec.ServiceAccountName = graph.GetName() + "-auth-verifier"
 	}
 
+	// In ODH, the readiness probe is using HTTPS
+	podSpec.Containers[0].ReadinessProbe.ProbeHandler.HTTPGet.Scheme = corev1.URISchemeHTTPS
+
 	return podSpec
 }
 

pkg/controller/v1alpha1/inferencegraph/raw_ig_test.go

@@ -63,6 +63,7 @@ func TestCreateInferenceGraphPodSpec(t *testing.T) {
 	}
 
 	expectedReadinessProbe := constants.GetRouterReadinessProbe()
+	expectedReadinessProbe.ProbeHandler.HTTPGet.Scheme = corev1.URISchemeHTTPS
 
 	testIGSpecs := map[string]*InferenceGraph{
 		"basic": {
@@ -220,6 +221,30 @@ func TestCreateInferenceGraphPodSpec(t *testing.T) {
 							Drop: []corev1.Capability{corev1.Capability("ALL")},
 						},
 					},
+					VolumeMounts: []corev1.VolumeMount{
+						{
+							Name:      "openshift-service-ca-bundle",
+							MountPath: "/etc/odh/openshift-service-ca-bundle",
+						},
+					},
+					Env: []corev1.EnvVar{
+						{
+							Name:  "SSL_CERT_FILE",
+							Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
+						},
+					},
+				},
+			},
+			Volumes: []corev1.Volume{
+				{
+					Name: "openshift-service-ca-bundle",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: constants.OpenShiftServiceCaConfigMapName,
+							},
+						},
+					},
 				},
 			},
 			AutomountServiceAccountToken: proto.Bool(false),
@@ -237,6 +262,10 @@ func TestCreateInferenceGraphPodSpec(t *testing.T) {
 						"{\"nodes\":{\"root\":{\"routerType\":\"Sequence\",\"steps\":[{\"serviceUrl\":\"http://someservice.exmaple.com\"}]}},\"resources\":{}}",
 					},
 					Env: []corev1.EnvVar{
+						{
+							Name:  "SSL_CERT_FILE",
+							Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
+						},
 						{
 							Name:  "PROPAGATE_HEADERS",
 							Value: "Authorization,Intuit_tid",
@@ -262,6 +291,24 @@ func TestCreateInferenceGraphPodSpec(t *testing.T) {
 							Drop: []corev1.Capability{corev1.Capability("ALL")},
 						},
 					},
+					VolumeMounts: []corev1.VolumeMount{
+						{
+							Name:      "openshift-service-ca-bundle",
+							MountPath: "/etc/odh/openshift-service-ca-bundle",
+						},
+					},
+				},
+			},
+			Volumes: []corev1.Volume{
+				{
+					Name: "openshift-service-ca-bundle",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: constants.OpenShiftServiceCaConfigMapName,
+							},
+						},
+					},
 				},
 			},
 			AutomountServiceAccountToken: proto.Bool(false),
@@ -298,6 +345,30 @@ func TestCreateInferenceGraphPodSpec(t *testing.T) {
 							Drop: []corev1.Capability{corev1.Capability("ALL")},
 						},
 					},
+					VolumeMounts: []corev1.VolumeMount{
+						{
+							Name:      "openshift-service-ca-bundle",
+							MountPath: "/etc/odh/openshift-service-ca-bundle",
+						},
+					},
+					Env: []corev1.EnvVar{
+						{
+							Name:  "SSL_CERT_FILE",
+							Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
+						},
+					},
+				},
+			},
+			Volumes: []corev1.Volume{
+				{
+					Name: "openshift-service-ca-bundle",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: constants.OpenShiftServiceCaConfigMapName,
+							},
+						},
+					},
 				},
 			},
 			AutomountServiceAccountToken: proto.Bool(false),
@@ -334,6 +405,30 @@ func TestCreateInferenceGraphPodSpec(t *testing.T) {
 							Drop: []corev1.Capability{corev1.Capability("ALL")},
 						},
 					},
+					VolumeMounts: []corev1.VolumeMount{
+						{
+							Name:      "openshift-service-ca-bundle",
+							MountPath: "/etc/odh/openshift-service-ca-bundle",
+						},
+					},
+					Env: []corev1.EnvVar{
+						{
+							Name:  "SSL_CERT_FILE",
+							Value: "/etc/odh/openshift-service-ca-bundle/service-ca.crt",
+						},
+					},
+				},
+			},
+			Volumes: []corev1.Volume{
+				{
+					Name: "openshift-service-ca-bundle",
+					VolumeSource: corev1.VolumeSource{
+						ConfigMap: &corev1.ConfigMapVolumeSource{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: constants.OpenShiftServiceCaConfigMapName,
+							},
+						},
+					},
 				},
 			},
 			AutomountServiceAccountToken: proto.Bool(false),