add tls to kserve-router and add certs to ig service and always mount serving cert secret to raw deployment (#531)

pr feedback



modify callService to use TLS



Revert "modify callService to use TLS"

This reverts commit 1618bc8.

edgar feedback



fix lint errors



bug fix

Signed-off-by: Vedant Mahabaleshwarkar <[email protected]>

Author: VedantMahabaleshwarkar

cmd/router/main.go

@@ -604,8 +604,8 @@ func main() {
 		WriteTimeout: time.Minute,       // set the maximum duration before timing out writes of the response
 		IdleTimeout:  3 * time.Minute,   // set the maximum amount of time to wait for the next request when keep-alives are enabled
 	}
-	err = server.ListenAndServe()
 
+	err = server.ListenAndServeTLS("/etc/tls/private/tls.crt", "/etc/tls/private/tls.key")
 	if err != nil {
 		log.Error(err, "failed to listen on 8080")
 		os.Exit(1)

pkg/constants/constants.go

@@ -132,14 +132,15 @@ var (
 
 // kserve networking constants
 const (
-	NetworkVisibility       = "networking.kserve.io/visibility"
-	ClusterLocalVisibility  = "cluster-local"
-	ClusterLocalDomain      = "svc.cluster.local"
-	IsvcNameHeader          = "KServe-Isvc-Name"
-	IsvcNamespaceHeader     = "KServe-Isvc-Namespace"
-	ODHKserveRawAuth        = "security.opendatahub.io/enable-auth"
-	ODHRouteEnabled         = "exposed"
-	ServingCertSecretSuffix = "-serving-cert"
+	NetworkVisibility              = "networking.kserve.io/visibility"
+	ClusterLocalVisibility         = "cluster-local"
+	ClusterLocalDomain             = "svc.cluster.local"
+	IsvcNameHeader                 = "KServe-Isvc-Name"
+	IsvcNamespaceHeader            = "KServe-Isvc-Namespace"
+	ODHKserveRawAuth               = "security.opendatahub.io/enable-auth"
+	ODHRouteEnabled                = "exposed"
+	ServingCertSecretSuffix        = "-serving-cert"
+	OpenshiftServingCertAnnotation = "service.beta.openshift.io/serving-cert-secret-name"
 )
 
 // StorageSpec Constants
@@ -519,6 +520,13 @@ const (
 	OpenShiftServiceCaConfigMapName = "openshift-service-ca.crt"
 )
 
+type ResourceType string
+
+const (
+	InferenceServiceResource ResourceType = "InferenceService"
+	InferenceGraphResource   ResourceType = "InferenceGraph"
+)
+
 // GetRawServiceLabel generate native service label
 func GetRawServiceLabel(service string) string {
 	return "isvc." + service

pkg/controller/v1alpha1/inferencegraph/raw_ig.go

@@ -176,7 +176,7 @@ func handleInferenceGraphRawDeployment(cl client.Client, clientset kubernetes.In
 	objectMeta, componentExtSpec := constructForRawDeployment(graph)
 
 	// create the reconciler
-	reconciler, err := raw.NewRawKubeReconciler(cl, clientset, scheme, objectMeta, metav1.ObjectMeta{}, &componentExtSpec, desiredSvc, nil)
+	reconciler, err := raw.NewRawKubeReconciler(cl, clientset, scheme, constants.InferenceGraphResource, objectMeta, metav1.ObjectMeta{}, &componentExtSpec, desiredSvc, nil)
 
 	if err != nil {
 		return nil, nil, errors.Wrapf(err, "fails to create NewRawKubeReconciler for inference graph")
@@ -189,6 +189,7 @@ func handleInferenceGraphRawDeployment(cl client.Client, clientset kubernetes.In
 	}
 	// set Service Controller
 	for _, svc := range reconciler.Service.ServiceList {
+		svc.ObjectMeta.Annotations[constants.OpenshiftServingCertAnnotation] = graph.Name + constants.ServingCertSecretSuffix
 		if err := controllerutil.SetControllerReference(graph, svc, scheme); err != nil {
 			return nil, reconciler.URL, errors.Wrapf(err, "fails to set service owner reference for inference graph")
 		}

pkg/controller/v1beta1/inferenceservice/components/explainer.go

@@ -160,7 +160,7 @@ func (e *Explainer) Reconcile(isvc *v1beta1.InferenceService) (ctrl.Result, erro
 
 	// Here we allow switch between knative and vanilla deployment
 	if e.deploymentMode == constants.RawDeployment {
-		r, err := raw.NewRawKubeReconciler(e.client, e.clientset, e.scheme, objectMeta, metav1.ObjectMeta{},
+		r, err := raw.NewRawKubeReconciler(e.client, e.clientset, e.scheme, constants.InferenceServiceResource, objectMeta, metav1.ObjectMeta{},
 			&isvc.Spec.Explainer.ComponentExtensionSpec, &podSpec, nil)
 		if err != nil {
 			return ctrl.Result{}, errors.Wrapf(err, "fails to create NewRawKubeReconciler for explainer")

pkg/controller/v1beta1/inferenceservice/components/predictor.go

@@ -365,7 +365,7 @@ func (p *Predictor) Reconcile(isvc *v1beta1.InferenceService) (ctrl.Result, erro
 		rawDeployment = true
 		podLabelKey = constants.RawDeploymentAppLabel
 		// This is main RawKubeReconciler to create objects (deployment, svc, scaler)
-		r, err := raw.NewRawKubeReconciler(p.client, p.clientset, p.scheme, objectMeta, workerObjectMeta, &isvc.Spec.Predictor.ComponentExtensionSpec,
+		r, err := raw.NewRawKubeReconciler(p.client, p.clientset, p.scheme, constants.InferenceServiceResource, objectMeta, workerObjectMeta, &isvc.Spec.Predictor.ComponentExtensionSpec,
 			&podSpec, workerPodSpec)
 		if err != nil {
 			return ctrl.Result{}, errors.Wrapf(err, "fails to create NewRawKubeReconciler for predictor")

pkg/controller/v1beta1/inferenceservice/components/transformer.go

@@ -188,7 +188,7 @@ func (p *Transformer) Reconcile(isvc *v1beta1.InferenceService) (ctrl.Result, er
 
 	// Here we allow switch between knative and vanilla deployment
 	if p.deploymentMode == constants.RawDeployment {
-		r, err := raw.NewRawKubeReconciler(p.client, p.clientset, p.scheme, objectMeta, metav1.ObjectMeta{},
+		r, err := raw.NewRawKubeReconciler(p.client, p.clientset, p.scheme, constants.InferenceServiceResource, objectMeta, metav1.ObjectMeta{},
 			&isvc.Spec.Transformer.ComponentExtensionSpec, &podSpec, nil)
 		if err != nil {
 			return ctrl.Result{}, errors.Wrapf(err, "fails to create NewRawKubeReconciler for transformer")

pkg/controller/v1beta1/inferenceservice/rawkube_controller_test.go

@@ -230,6 +230,7 @@ var _ = Describe("v1beta1 inference service controller", func() {
 								"serving.kserve.io/autoscalerClass":                        "hpa",
 								"serving.kserve.io/metrics":                                "cpu",
 								"serving.kserve.io/targetUtilizationPercentage":            "75",
+								constants.OpenshiftServingCertAnnotation:                   predictorDeploymentKey.Name + constants.ServingCertSecretSuffix,
 							},
 						},
 						Spec: v1.PodSpec{
@@ -649,6 +650,7 @@ var _ = Describe("v1beta1 inference service controller", func() {
 								"serving.kserve.io/autoscalerClass":                        "hpa",
 								"serving.kserve.io/metrics":                                "cpu",
 								"serving.kserve.io/targetUtilizationPercentage":            "75",
+								constants.OpenshiftServingCertAnnotation:                   "raw-foo-customized-predictor-serving-cert",
 							},
 						},
 						Spec: v1.PodSpec{
@@ -1053,6 +1055,7 @@ var _ = Describe("v1beta1 inference service controller", func() {
 								constants.StorageInitializerSourceUriInternalAnnotationKey: *isvc.Spec.Predictor.Model.StorageURI,
 								"serving.kserve.io/deploymentMode":                         "RawDeployment",
 								"serving.kserve.io/autoscalerClass":                        "external",
+								constants.OpenshiftServingCertAnnotation:                   predictorDeploymentKey.Name + constants.ServingCertSecretSuffix,
 							},
 						},
 						Spec: v1.PodSpec{
@@ -1724,6 +1727,7 @@ var _ = Describe("v1beta1 inference service controller", func() {
 								"serving.kserve.io/autoscalerClass":                        "hpa",
 								"serving.kserve.io/metrics":                                "cpu",
 								"serving.kserve.io/targetUtilizationPercentage":            "75",
+								constants.OpenshiftServingCertAnnotation:                   predictorDeploymentKey.Name + constants.ServingCertSecretSuffix,
 							},
 						},
 						Spec: v1.PodSpec{
@@ -2158,6 +2162,7 @@ var _ = Describe("v1beta1 inference service controller", func() {
 								"serving.kserve.io/autoscalerClass":                        "hpa",
 								"serving.kserve.io/metrics":                                "cpu",
 								"serving.kserve.io/targetUtilizationPercentage":            "75",
+								constants.OpenshiftServingCertAnnotation:                   predictorDeploymentKey.Name + constants.ServingCertSecretSuffix,
 							},
 						},
 						Spec: v1.PodSpec{
@@ -2598,6 +2603,12 @@ var _ = Describe("v1beta1 inference service controller", func() {
 										"--model_base_path=" + constants.DefaultModelLocalMountPath,
 										"--rest_api_timeout_in_ms=60000",
 									},
+									VolumeMounts: []v1.VolumeMount{
+										{
+											Name:      "proxy-tls",
+											MountPath: "/etc/tls/private",
+										},
+									},
 									Resources: defaultResource,
 									ReadinessProbe: &v1.Probe{
 										ProbeHandler: v1.ProbeHandler{

pkg/controller/v1beta1/inferenceservice/reconcilers/deployment/deployment_reconciler.go

@@ -26,7 +26,6 @@ import (
 	"strings"
 
 	"k8s.io/apimachinery/pkg/api/resource"
-	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	"k8s.io/client-go/kubernetes"
 
 	"github.com/google/go-cmp/cmp/cmpopts"
@@ -37,6 +36,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	"knative.dev/pkg/kmp"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -65,11 +65,12 @@ const (
 func NewDeploymentReconciler(client kclient.Client,
 	clientset kubernetes.Interface,
 	scheme *runtime.Scheme,
+	resourceType constants.ResourceType,
 	componentMeta metav1.ObjectMeta,
 	workerComponentMeta metav1.ObjectMeta,
 	componentExt *v1beta1.ComponentExtensionSpec,
 	podSpec *corev1.PodSpec, workerPodSpec *corev1.PodSpec) (*DeploymentReconciler, error) {
-	deploymentList, err := createRawDeploymentODH(clientset, componentMeta, workerComponentMeta, componentExt, podSpec, workerPodSpec)
+	deploymentList, err := createRawDeploymentODH(clientset, resourceType, componentMeta, workerComponentMeta, componentExt, podSpec, workerPodSpec)
 	if err != nil {
 		return nil, err
 	}
@@ -81,21 +82,26 @@ func NewDeploymentReconciler(client kclient.Client,
 	}, nil
 }
 
-func createRawDeploymentODH(clientset kubernetes.Interface, componentMeta metav1.ObjectMeta, workerComponentMeta metav1.ObjectMeta,
+func createRawDeploymentODH(clientset kubernetes.Interface, resourceType constants.ResourceType, componentMeta metav1.ObjectMeta, workerComponentMeta metav1.ObjectMeta,
 	componentExt *v1beta1.ComponentExtensionSpec,
 	podSpec *corev1.PodSpec, workerPodSpec *corev1.PodSpec) ([]*appsv1.Deployment, error) {
 	deploymentList, err := createRawDeployment(componentMeta, workerComponentMeta, componentExt, podSpec, workerPodSpec)
 	if err != nil {
 		return nil, err
 	}
+	enableAuth := false
+	// Deployment list is for multi-node, we only need to add oauth proxy and serving sercret certs to the head deployment
+	headDeployment := deploymentList[0]
 	if val, ok := componentMeta.Annotations[constants.ODHKserveRawAuth]; ok && strings.EqualFold(val, "true") {
-		for _, deployment := range deploymentList {
-			err := addOauthContainerToDeployment(clientset, deployment, componentMeta, componentExt, podSpec)
-			if err != nil {
-				return nil, err
-			}
+		enableAuth = true
+		err := addOauthContainerToDeployment(clientset, headDeployment, componentMeta, componentExt, podSpec)
+		if err != nil {
+			return nil, err
 		}
 	}
+	if (resourceType == constants.InferenceServiceResource && enableAuth) || resourceType == constants.InferenceGraphResource {
+		mountServingSecretVolumeToDeployment(headDeployment, componentMeta, resourceType)
+	}
 	return deploymentList, nil
 }
 
@@ -188,6 +194,36 @@ func createRawDefaultDeployment(componentMeta metav1.ObjectMeta,
 	return deployment, nil
 }
 
+func mountServingSecretVolumeToDeployment(deployment *appsv1.Deployment, componentMeta metav1.ObjectMeta, resourceType constants.ResourceType) {
+	updatedPodSpec := deployment.Spec.Template.Spec.DeepCopy()
+	tlsSecretVolume := corev1.Volume{
+		Name: tlsVolumeName,
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName:  componentMeta.Name + constants.ServingCertSecretSuffix,
+				DefaultMode: func(i int32) *int32 { return &i }(420),
+			},
+		},
+	}
+
+	updatedPodSpec.Volumes = append(updatedPodSpec.Volumes, tlsSecretVolume)
+
+	containerName := "kserve-container"
+	if resourceType == constants.InferenceGraphResource {
+		containerName = componentMeta.Name
+	}
+	for i, container := range updatedPodSpec.Containers {
+		if container.Name == containerName {
+			updatedPodSpec.Containers[i].VolumeMounts = append(updatedPodSpec.Containers[i].VolumeMounts, corev1.VolumeMount{
+				Name:      tlsVolumeName,
+				MountPath: "/etc/tls/private",
+			})
+		}
+	}
+
+	deployment.Spec.Template.Spec = *updatedPodSpec
+}
+
 func addOauthContainerToDeployment(clientset kubernetes.Interface, deployment *appsv1.Deployment, componentMeta metav1.ObjectMeta, componentExt *v1beta1.ComponentExtensionSpec,
 	podSpec *corev1.PodSpec) error {
 	var isvcname string
@@ -224,16 +260,6 @@ func addOauthContainerToDeployment(clientset kubernetes.Interface, deployment *a
 		updatedPodSpec := deployment.Spec.Template.Spec.DeepCopy()
 		//	updatedPodSpec := podSpec.DeepCopy()
 		updatedPodSpec.Containers = append(updatedPodSpec.Containers, *oauthProxyContainer)
-		tlsSecretVolume := corev1.Volume{
-			Name: tlsVolumeName,
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName:  componentMeta.Name + constants.ServingCertSecretSuffix,
-					DefaultMode: func(i int32) *int32 { return &i }(420),
-				},
-			},
-		}
-		updatedPodSpec.Volumes = append(updatedPodSpec.Volumes, tlsSecretVolume)
 		deployment.Spec.Template.Spec = *updatedPodSpec
 	}
 	return nil

pkg/controller/v1beta1/inferenceservice/reconcilers/raw/raw_kube_reconciler.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 
 	"github.com/kserve/kserve/pkg/apis/serving/v1beta1"
+	"github.com/kserve/kserve/pkg/constants"
 	autoscaler "github.com/kserve/kserve/pkg/controller/v1beta1/inferenceservice/reconcilers/autoscaler"
 	deployment "github.com/kserve/kserve/pkg/controller/v1beta1/inferenceservice/reconcilers/deployment"
 	"github.com/kserve/kserve/pkg/controller/v1beta1/inferenceservice/reconcilers/ingress"
@@ -51,6 +52,7 @@ type RawKubeReconciler struct {
 func NewRawKubeReconciler(client client.Client,
 	clientset kubernetes.Interface,
 	scheme *runtime.Scheme,
+	resourceType constants.ResourceType,
 	componentMeta metav1.ObjectMeta,
 	workerComponentMeta metav1.ObjectMeta,
 	componentExt *v1beta1.ComponentExtensionSpec,
@@ -75,7 +77,7 @@ func NewRawKubeReconciler(client client.Client,
 		log.Error(err1, "failed to get service config")
 	}
 
-	depl, err := deployment.NewDeploymentReconciler(client, clientset, scheme, componentMeta, workerComponentMeta, componentExt, podSpec, workerPodSpec)
+	depl, err := deployment.NewDeploymentReconciler(client, clientset, scheme, resourceType, componentMeta, workerComponentMeta, componentExt, podSpec, workerPodSpec)
 	if err != nil {
 		return nil, err
 	}

pkg/controller/v1beta1/inferenceservice/reconcilers/service/service_reconciler.go

@@ -170,11 +170,12 @@ func createDefaultSvc(componentMeta metav1.ObjectMeta, componentExt *v1beta1.Com
 		},
 	}
 
+	if service.ObjectMeta.Annotations == nil {
+		service.ObjectMeta.Annotations = make(map[string]string)
+	}
+	service.ObjectMeta.Annotations[constants.OpenshiftServingCertAnnotation] = componentMeta.Name + constants.ServingCertSecretSuffix
+
 	if val, ok := componentMeta.Annotations[constants.ODHKserveRawAuth]; ok && strings.EqualFold(val, "true") {
-		if service.ObjectMeta.Annotations == nil {
-			service.ObjectMeta.Annotations = make(map[string]string)
-		}
-		service.ObjectMeta.Annotations["service.beta.openshift.io/serving-cert-secret-name"] = componentMeta.Name + constants.ServingCertSecretSuffix
 		httpsPort := corev1.ServicePort{
 			Name: "https",
 			Port: constants.OauthProxyPort,