[release-v0.15] RHOAIENG-24134: KServe Support secure access to the metrics server with TriggerAuthentication for KEDA autoscaling (#644)

* support for secure access to the metric server

Signed-off-by: Andrews Arokiam <[email protected]>

* precommit check

Signed-off-by: Andrews Arokiam <[email protected]>

* added field authmodes

Signed-off-by: Andrews Arokiam <[email protected]>

* added e2e tests

Signed-off-by: Andrews Arokiam <[email protected]>

---------

Signed-off-by: Andrews Arokiam <[email protected]>
Co-authored-by: Andrews Arokiam <[email protected]>

Author: openshift-cherrypick-robot

config/crd/full/serving.kserve.io_inferenceservices.yaml

@@ -1196,8 +1196,17 @@ spec:
                             properties:
                               external:
                                 properties:
+                                  authenticationRef:
+                                    properties:
+                                      name:
+                                        type: string
+                                    required:
+                                      - name
+                                    type: object
                                   metric:
                                     properties:
+                                      authModes:
+                                        type: string
                                       backend:
                                         enum:
                                           - prometheus
@@ -4336,8 +4345,17 @@ spec:
                             properties:
                               external:
                                 properties:
+                                  authenticationRef:
+                                    properties:
+                                      name:
+                                        type: string
+                                    required:
+                                      - name
+                                    type: object
                                   metric:
                                     properties:
+                                      authModes:
+                                        type: string
                                       backend:
                                         enum:
                                           - prometheus
@@ -18649,8 +18667,17 @@ spec:
                             properties:
                               external:
                                 properties:
+                                  authenticationRef:
+                                    properties:
+                                      name:
+                                        type: string
+                                    required:
+                                      - name
+                                    type: object
                                   metric:
                                     properties:
+                                      authModes:
+                                        type: string
                                       backend:
                                         enum:
                                           - prometheus

pkg/apis/serving/v1beta1/component.go

@@ -201,6 +201,11 @@ type ExternalMetricSource struct {
 	// metric identifies the target metric by name and selector
 	Metric ExternalMetrics `json:"metric"`
 
+	// authenticationRef is a reference to the authentication information
+	// for more information see: https://keda.sh/docs/2.17/scalers/prometheus/#authentication-parameters
+	// +optional
+	AuthenticationRef ExtMetricAuth `json:"authenticationRef"`
+
 	// target specifies the target value for the given metric
 	Target MetricTarget `json:"target"`
 }
@@ -217,6 +222,10 @@ type PodMetricSource struct {
 	Target MetricTarget `json:"target"`
 }
 
+type ExtMetricAuth struct {
+	Name string `json:"name"`
+}
+
 // MetricTarget defines the target value, average value, or average utilization of a specific metric
 type MetricTarget struct {
 	// type represents whether the metric type is Utilization, Value, or AverageValue
@@ -268,6 +277,9 @@ type ExternalMetrics struct {
 	// For namespaced query
 	// +optional
 	Namespace string `json:"namespace,omitempty"`
+	// authModes defines the authentication modes for the metrics backend
+	// +optional
+	AuthModes string `json:"authModes,omitempty"`
 }
 
 type PodMetrics struct {

pkg/apis/serving/v1beta1/zz_generated.deepcopy.go

@@ -108,7 +108,9 @@ func getKedaMetrics(componentExt *v1beta1.ComponentExtensionSpec,
 			case v1beta1.ExternalMetricSourceType:
 				triggerType := string(metric.External.Metric.Backend)
 				serverAddress := metric.External.Metric.ServerAddress
+				authModes := metric.External.Metric.AuthModes
 				query := metric.External.Metric.Query
+				authRef := metric.External.AuthenticationRef
 
 				trigger := kedav1alpha1.ScaleTriggers{
 					Type: triggerType,
@@ -118,9 +120,17 @@ func getKedaMetrics(componentExt *v1beta1.ComponentExtensionSpec,
 						"threshold":     fmt.Sprintf("%f", metric.External.Target.Value.AsApproximateFloat64()),
 					},
 				}
+				if authModes != "" {
+					trigger.Metadata["authModes"] = authModes
+				}
 				if triggerType == string(constants.AutoScalerMetricsSourcePrometheus) && metric.External.Metric.Namespace != "" {
 					trigger.Metadata["namespace"] = metric.External.Metric.Namespace
 				}
+				if authRef.Name != "" {
+					trigger.AuthenticationRef = &kedav1alpha1.AuthenticationRef{
+						Name: authRef.Name,
+					}
+				}
 				triggers = append(triggers, trigger)
 			case v1beta1.PodMetricSourceType:
 				otelConfig, err := v1beta1.NewOtelCollectorConfig(configMap)

pkg/controller/v1beta1/inferenceservice/reconcilers/keda/keda_reconciler.go

@@ -2791,13 +2791,27 @@
         }
       }
     },
+    "v1beta1.ExtMetricAuth": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "default": ""
+        }
+      }
+    },
     "v1beta1.ExternalMetricSource": {
       "type": "object",
       "required": [
         "metric",
         "target"
       ],
       "properties": {
+        "authenticationRef": {
+          "description": "authenticationRef is a reference to the authentication information for more information see: https://keda.sh/docs/2.17/scalers/prometheus/#authentication-parameters",
+          "default": {},
+          "$ref": "#/definitions/v1beta1.ExtMetricAuth"
+        },
         "metric": {
           "description": "metric identifies the target metric by name and selector",
           "default": {},
@@ -2813,6 +2827,10 @@
     "v1beta1.ExternalMetrics": {
       "type": "object",
       "properties": {
+        "authModes": {
+          "description": "authModes defines the authentication modes for the metrics backend",
+          "type": "string"
+        },
         "backend": {
           "description": "MetricsBackend defines the scaling metric type watched by autoscaler possible values are prometheus, graphite.",
           "type": "string",

pkg/openapi/openapi_generated.go

@@ -0,0 +1,10 @@
+# V1beta1ExtMetricAuth
+
+## Properties
+Name | Type | Description | Notes
+------------ | ------------- | ------------- | -------------
+**name** | **str** |  | [optional] [default to '']
+
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+
+

pkg/openapi/swagger.json

@@ -3,6 +3,7 @@
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
+**authentication_ref** | [**V1beta1ExtMetricAuth**](V1beta1ExtMetricAuth.md) |  | [optional] 
 **metric** | [**V1beta1ExternalMetrics**](V1beta1ExternalMetrics.md) |  | 
 **target** | [**V1beta1MetricTarget**](V1beta1MetricTarget.md) |  | 
 

python/kserve/docs/V1beta1ExtMetricAuth.md

@@ -3,6 +3,7 @@
 ## Properties
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
+**auth_modes** | **str** | authModes defines the authentication modes for the metrics backend | [optional] 
 **backend** | **str** | MetricsBackend defines the scaling metric type watched by autoscaler possible values are prometheus, graphite. | [optional] [default to '']
 **namespace** | **str** | For namespaced query | [optional] 
 **query** | **str** | Query to run to get metrics from MetricsBackend | [optional] 

python/kserve/docs/V1beta1ExternalMetricSource.md

@@ -114,3 +114,4 @@
 from .models.v1beta1_metrics_spec import V1beta1MetricsSpec
 from .models.v1beta1_pod_metric_source import V1beta1PodMetricSource
 from .models.v1beta1_pod_metrics import V1beta1PodMetrics
+from .models.v1beta1_ext_metric_auth import V1beta1ExtMetricAuth