[Cherrypick] Use annotation instead of label to enable auth for RawDeployment (#519)

* Make label and annotation propagation configurable (kserve#4030)

* Make label and annotation propagation configurable

chore:	Make the DisallaowedAnnotations and Labels configurable through
	ConfigMap so users can configured it quickly.

fixes kserve#3710

Signed-off-by: Spolti <[email protected]>

* generate boilerplate code

Signed-off-by: Spolti <[email protected]>

* Edgar's review changes

Signed-off-by: Spolti <[email protected]>

---------

Signed-off-by: Spolti <[email protected]>

(cherry picked from commit 654d314)
Signed-off-by: Vedant Mahabaleshwarkar <[email protected]>

* Use annotation instead of label to enable auth for RawDeployment

Signed-off-by: Vedant Mahabaleshwarkar <[email protected]>
Signed-off-by: Jooho Lee <[email protected]>

* address pr comments

Signed-off-by: Vedant Mahabaleshwarkar <[email protected]>

* change code to be compatible with isvcConfig.serviceAnnotationDisallowedList and added the disallowed list to odh isvc config patch

Signed-off-by: Vedant Mahabaleshwarkar <[email protected]>

* Remove comments from inferenceservice-config configmap manifests (#518)

Signed-off-by: Jooho Lee <[email protected]>

---------

Signed-off-by: Spolti <[email protected]>
Signed-off-by: Vedant Mahabaleshwarkar <[email protected]>
Signed-off-by: Jooho Lee <[email protected]>
Co-authored-by: Filippe Spolti <[email protected]>
Co-authored-by: Vedant Mahabaleshwarkar <[email protected]>

Author: 3 people

config/configmap/inferenceservice.yaml

@@ -41,7 +41,38 @@ data:
                "defaultImageVersion": "latest"
            }
        }
-     
+    # ====================================== ISVC CONFIGURATION ======================================
+    # Example   
+     inferenceService: |-
+      {
+        "serviceAnnotationDisallowedList": [
+          "my.custom.annotation/1"  
+        ],
+        "serviceLabelDisallowedList": [
+          "my.custom.label.1"  
+        ]
+       }
+    # Example of isvc configuration
+    inferenceService: |-
+      {
+        # ServiceAnnotationDisallowedList is a list of annotations that are not allowed to be propagated to Knative 
+        # revisions, which prevents the reconciliation loop to be triggered if the annotations is 
+        # configured here are used.
+        # Default values are:
+        #  "autoscaling.knative.dev/min-scale",
+        #  "autoscaling.knative.dev/max-scale",
+        #  "internal.serving.kserve.io/storage-initializer-sourceuri",
+        #  "kubectl.kubernetes.io/last-applied-configuration"
+        # Any new value will be appended to the list.
+        "serviceAnnotationDisallowedList": [
+          "my.custom.annotation/1"  
+        ],
+        # ServiceLabelDisallowedList is a list of labels that are not allowed to be propagated to Knative revisions
+        # which prevents the reconciliation loop to be triggered if the labels is configured here are used.
+        "serviceLabelDisallowedList": [
+          "my.custom.label.1"  
+        ]
+      }  
      # ====================================== STORAGE INITIALIZER CONFIGURATION ======================================
      # Example
      storageInitializer: |-

config/overlays/odh/inferenceservice-config-patch.yaml

@@ -84,3 +84,14 @@ data:
       "enableMetricAggregation": "false",
       "enablePrometheusScraping" : "false"
     }
+
+  inferenceService: |-
+    {
+      "serviceAnnotationDisallowedList": [
+        "autoscaling.knative.dev/min-scale",
+        "autoscaling.knative.dev/max-scale",
+        "internal.serving.kserve.io/storage-initializer-sourceuri",
+        "kubectl.kubernetes.io/last-applied-configuration",
+        "security.opendatahub.io/enable-auth"
+      ]
+     }

hack/violation_exceptions.list

@@ -11,6 +11,8 @@ API rule violation: list_type_missing,github.com/kserve/kserve/pkg/apis/serving/
 API rule violation: list_type_missing,github.com/kserve/kserve/pkg/apis/serving/v1alpha1,TrainedModelList,Items
 API rule violation: list_type_missing,github.com/kserve/kserve/pkg/apis/serving/v1beta1,ComponentStatusSpec,Traffic
 API rule violation: list_type_missing,github.com/kserve/kserve/pkg/apis/serving/v1beta1,InferenceServiceList,Items
+API rule violation: list_type_missing,github.com/kserve/kserve/pkg/apis/serving/v1beta1,InferenceServicesConfig,ServiceAnnotationDisallowedList
+API rule violation: list_type_missing,github.com/kserve/kserve/pkg/apis/serving/v1beta1,InferenceServicesConfig,ServiceLabelDisallowedList
 API rule violation: list_type_missing,github.com/kserve/kserve/pkg/apis/serving/v1beta1,LoggerSpec,MetadataHeaders
 API rule violation: list_type_missing,github.com/kserve/kserve/pkg/apis/serving/v1beta1,PodSpec,Containers
 API rule violation: list_type_missing,github.com/kserve/kserve/pkg/apis/serving/v1beta1,PodSpec,EphemeralContainers

pkg/apis/serving/v1beta1/component.go

@@ -117,7 +117,6 @@ type ComponentExtensionSpec struct {
 	// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
 	// +optional
 	Annotations map[string]string `json:"annotations,omitempty"`
-
 	// The deployment strategy to use to replace existing pods with new ones. Only applicable for raw deployment mode.
 	// +optional
 	DeploymentStrategy *appsv1.DeploymentStrategy `json:"deploymentStrategy,omitempty"`

pkg/apis/serving/v1beta1/configmap.go

@@ -31,12 +31,13 @@ import (
 
 // ConfigMap Keys
 const (
-	ExplainerConfigKeyName = "explainers"
-	IngressConfigKeyName   = "ingress"
-	DeployConfigName       = "deploy"
-	LocalModelConfigName   = "localModel"
-	SecurityConfigName     = "security"
-	ServiceConfigName      = "service"
+	ExplainerConfigKeyName        = "explainers"
+	InferenceServiceConfigKeyName = "inferenceService"
+	IngressConfigKeyName          = "ingress"
+	DeployConfigName              = "deploy"
+	LocalModelConfigName          = "localModel"
+	SecurityConfigName            = "security"
+	ServiceConfigName             = "service"
 )
 
 const (
@@ -62,6 +63,11 @@ type ExplainersConfig struct {
 type InferenceServicesConfig struct {
 	// Explainer configurations
 	Explainers ExplainersConfig `json:"explainers"`
+	// ServiceAnnotationDisallowedList is a list of annotations that are not allowed to be propagated to Knative
+	// revisions
+	ServiceAnnotationDisallowedList []string `json:"serviceAnnotationDisallowedList,omitempty"`
+	// ServiceLabelDisallowedList is a list of labels that are not allowed to be propagated to Knative revisions
+	ServiceLabelDisallowedList []string `json:"serviceLabelDisallowedList,omitempty"`
 }
 
 // +kubebuilder:object:generate=false
@@ -115,7 +121,9 @@ type ServiceConfig struct {
 }
 
 func NewInferenceServicesConfig(clientset kubernetes.Interface) (*InferenceServicesConfig, error) {
-	configMap, err := clientset.CoreV1().ConfigMaps(constants.KServeNamespace).Get(context.TODO(), constants.InferenceServiceConfigMapName, metav1.GetOptions{})
+	configMap, err := clientset.CoreV1().ConfigMaps(constants.KServeNamespace).Get(
+		context.TODO(), constants.InferenceServiceConfigMapName, metav1.GetOptions{})
+
 	if err != nil {
 		return nil, err
 	}
@@ -127,6 +135,27 @@ func NewInferenceServicesConfig(clientset kubernetes.Interface) (*InferenceServi
 			return nil, err
 		}
 	}
+
+	if isvc, ok := configMap.Data[InferenceServiceConfigKeyName]; ok {
+		errisvc := json.Unmarshal([]byte(isvc), &icfg)
+		if errisvc != nil {
+			return nil, fmt.Errorf("unable to parse isvc config json: %w", errisvc)
+		}
+		if icfg.ServiceAnnotationDisallowedList == nil {
+			icfg.ServiceAnnotationDisallowedList = constants.ServiceAnnotationDisallowedList
+		} else {
+			icfg.ServiceAnnotationDisallowedList = append(
+				constants.ServiceAnnotationDisallowedList,
+				icfg.ServiceAnnotationDisallowedList...)
+		}
+		if icfg.ServiceLabelDisallowedList == nil {
+			icfg.ServiceLabelDisallowedList = constants.RevisionTemplateLabelDisallowedList
+		} else {
+			icfg.ServiceLabelDisallowedList = append(
+				constants.RevisionTemplateLabelDisallowedList,
+				icfg.ServiceLabelDisallowedList...)
+		}
+	}
 	return icfg, nil
 }
 

pkg/apis/serving/v1beta1/configmap_test.go

@@ -49,6 +49,17 @@ var (
 	ServiceConfigData = fmt.Sprintf(`{
 		"serviceClusterIPNone" : %t
 	}`, true)
+
+	ISCVWithData = fmt.Sprintf(`{
+		"serviceAnnotationDisallowedList": ["%s","%s"],
+		"serviceLabelDisallowedList": ["%s","%s"]
+	}`, "my.custom.annotation/1", "my.custom.annotation/2",
+		"my.custom.label.1", "my.custom.label.2")
+
+	ISCVNoData = fmt.Sprintf(`{
+		"serviceAnnotationDisallowedList": %s,
+		"serviceLabelDisallowedList": %s
+	}`, []string{}, []string{})
 )
 
 func TestNewInferenceServiceConfig(t *testing.T) {
@@ -147,5 +158,35 @@ func TestNewServiceConfig(t *testing.T) {
 	g.Expect(err).Should(gomega.BeNil())
 	g.Expect(nv).ShouldNot(gomega.BeNil())
 	g.Expect(nv.ServiceClusterIPNone).Should(gomega.BeFalse())
+}
+
+func TestInferenceServiceDisallowedLists(t *testing.T) {
+	g := gomega.NewGomegaWithT(t)
+	withData := fakeclientset.NewSimpleClientset(&v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{Name: constants.InferenceServiceConfigMapName, Namespace: constants.KServeNamespace},
+		Data: map[string]string{
+			InferenceServiceConfigKeyName: ISCVWithData,
+		},
+	})
+	isvcConfigWithData, err := NewInferenceServicesConfig(withData)
+	g.Expect(err).Should(gomega.BeNil())
+	g.Expect(isvcConfigWithData).ShouldNot(gomega.BeNil())
 
+	annotations := append(constants.ServiceAnnotationDisallowedList, []string{"my.custom.annotation/1", "my.custom.annotation/2"}...)
+	g.Expect(isvcConfigWithData.ServiceAnnotationDisallowedList).To(gomega.Equal(annotations))
+	labels := append(constants.RevisionTemplateLabelDisallowedList, []string{"my.custom.label.1", "my.custom.label.2"}...)
+	g.Expect(isvcConfigWithData.ServiceLabelDisallowedList).To(gomega.Equal(labels))
+
+	// with no data
+	withoutData := fakeclientset.NewSimpleClientset(&v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{Name: constants.InferenceServiceConfigMapName, Namespace: constants.KServeNamespace},
+		Data: map[string]string{
+			InferenceServiceConfigKeyName: ISCVNoData,
+		},
+	})
+	isvcConfigWithoutData, err := NewInferenceServicesConfig(withoutData)
+	g.Expect(err).Should(gomega.BeNil())
+	g.Expect(isvcConfigWithoutData).ShouldNot(gomega.BeNil())
+	g.Expect(isvcConfigWithoutData.ServiceAnnotationDisallowedList).To(gomega.Equal(constants.ServiceAnnotationDisallowedList))
+	g.Expect(isvcConfigWithoutData.ServiceLabelDisallowedList).To(gomega.Equal(constants.RevisionTemplateLabelDisallowedList))
 }

pkg/constants/constants.go

@@ -372,8 +372,6 @@ var (
 		autoscaling.MaxScaleAnnotationKey,
 		StorageInitializerSourceUriInternalAnnotationKey,
 		"kubectl.kubernetes.io/last-applied-configuration",
-		// remove when https://issues.redhat.com/browse/RHOAIENG-15662 is merged on community and ported to ODH
-		// Plus, this annotation must be moved to the inferenceservice-config
 		"security.opendatahub.io/enable-auth",
 	}
 

pkg/controller/v1beta1/inferenceservice/components/explainer.go

@@ -71,9 +71,19 @@ func NewExplainer(client client.Client, clientset kubernetes.Interface, scheme *
 func (e *Explainer) Reconcile(isvc *v1beta1.InferenceService) (ctrl.Result, error) {
 	e.Log.Info("Reconciling Explainer", "ExplainerSpec", isvc.Spec.Explainer)
 	explainer := isvc.Spec.Explainer.GetImplementation()
-	annotations := utils.Filter(isvc.Annotations, func(key string) bool {
-		return !utils.Includes(constants.ServiceAnnotationDisallowedList, key)
-	})
+	var annotations map[string]string
+	if e.deploymentMode == constants.RawDeployment {
+		annotations = utils.Filter(isvc.Annotations, func(key string) bool {
+			// https://issues.redhat.com/browse/RHOAIENG-20326
+			// For RawDeployment, we allow the security.opendatahub.io/enable-auth annotation
+			return !utils.Includes(isvcutils.FilterList(e.inferenceServiceConfig.ServiceAnnotationDisallowedList, constants.ODHKserveRawAuth), key)
+		})
+	} else {
+		annotations = utils.Filter(isvc.Annotations, func(key string) bool {
+			return !utils.Includes(e.inferenceServiceConfig.ServiceAnnotationDisallowedList, key)
+		})
+	}
+
 	// KNative does not support INIT containers or mounting, so we add annotations that trigger the
 	// StorageInitializer injector to mutate the underlying deployment to provision model data
 	if sourceURI := explainer.GetStorageUri(); sourceURI != nil {
@@ -104,11 +114,20 @@ func (e *Explainer) Reconcile(isvc *v1beta1.InferenceService) (ctrl.Result, erro
 	}
 
 	// Labels and annotations from explainer component
-	// Label filter will be handled in ksvc_reconciler
+	// Label filter will be handled in ksvc_reconciler and raw reconciler
 	explainerLabels := isvc.Spec.Explainer.Labels
-	explainerAnnotations := utils.Filter(isvc.Spec.Explainer.Annotations, func(key string) bool {
-		return !utils.Includes(constants.ServiceAnnotationDisallowedList, key)
-	})
+	var explainerAnnotations map[string]string
+	if e.deploymentMode == constants.RawDeployment {
+		explainerAnnotations = utils.Filter(isvc.Spec.Explainer.Annotations, func(key string) bool {
+			// https://issues.redhat.com/browse/RHOAIENG-20326
+			// For RawDeployment, we allow the security.opendatahub.io/enable-auth annotation
+			return !utils.Includes(isvcutils.FilterList(e.inferenceServiceConfig.ServiceAnnotationDisallowedList, constants.ODHKserveRawAuth), key)
+		})
+	} else {
+		explainerAnnotations = utils.Filter(isvc.Spec.Explainer.Annotations, func(key string) bool {
+			return !utils.Includes(e.inferenceServiceConfig.ServiceAnnotationDisallowedList, key)
+		})
+	}
 
 	// Labels and annotations priority: explainer component > isvc
 	// Labels and annotations from high priority will overwrite that from low priority
@@ -170,7 +189,7 @@ func (e *Explainer) Reconcile(isvc *v1beta1.InferenceService) (ctrl.Result, erro
 		isvc.Status.PropagateRawStatus(v1beta1.ExplainerComponent, deployment, r.URL)
 	} else {
 		r := knative.NewKsvcReconciler(e.client, e.scheme, objectMeta, &isvc.Spec.Explainer.ComponentExtensionSpec,
-			&podSpec, isvc.Status.Components[v1beta1.ExplainerComponent])
+			&podSpec, isvc.Status.Components[v1beta1.ExplainerComponent], e.inferenceServiceConfig.ServiceLabelDisallowedList)
 
 		if err := controllerutil.SetControllerReference(isvc, r.Service, e.scheme); err != nil {
 			return ctrl.Result{}, errors.Wrapf(err, "fails to set owner reference for explainer")

pkg/controller/v1beta1/inferenceservice/components/predictor.go

@@ -88,10 +88,21 @@ func (p *Predictor) Reconcile(isvc *v1beta1.InferenceService) (ctrl.Result, erro
 	if isvc.Spec.Predictor.WorkerSpec != nil {
 		multiNodeEnabled = true
 	}
+	var annotations map[string]string
+	if p.deploymentMode == constants.RawDeployment {
+		annotations = utils.Filter(isvc.Annotations, func(key string) bool {
+			// https://issues.redhat.com/browse/RHOAIENG-20326
+			// For RawDeployment, we allow the security.opendatahub.io/enable-auth annotation
+			return !utils.Includes(isvcutils.FilterList(p.inferenceServiceConfig.ServiceAnnotationDisallowedList, constants.ODHKserveRawAuth), key)
+		})
+	} else {
+		annotations = utils.Filter(isvc.Annotations, func(key string) bool {
+			return !utils.Includes(p.inferenceServiceConfig.ServiceAnnotationDisallowedList, key)
+		})
+	}
 
-	annotations := utils.Filter(isvc.Annotations, func(key string) bool {
-		return !utils.Includes(constants.ServiceAnnotationDisallowedList, key)
-	})
+	p.Log.V(1).Info("Predictor custom annotations", "annotations", p.inferenceServiceConfig.ServiceAnnotationDisallowedList)
+	p.Log.V(1).Info("Predictor custom labels", "labels", p.inferenceServiceConfig.ServiceLabelDisallowedList)
 
 	addLoggerAnnotations(isvc.Spec.Predictor.Logger, annotations)
 	addBatcherAnnotations(isvc.Spec.Predictor.Batcher, annotations)
@@ -228,9 +239,17 @@ func (p *Predictor) Reconcile(isvc *v1beta1.InferenceService) (ctrl.Result, erro
 
 		// Label filter will be handled in ksvc_reconciler
 		sRuntimeLabels = sRuntime.ServingRuntimePodSpec.Labels
-		sRuntimeAnnotations = utils.Filter(sRuntime.ServingRuntimePodSpec.Annotations, func(key string) bool {
-			return !utils.Includes(constants.ServiceAnnotationDisallowedList, key)
-		})
+		if p.deploymentMode == constants.RawDeployment {
+			sRuntimeAnnotations = utils.Filter(sRuntime.ServingRuntimePodSpec.Annotations, func(key string) bool {
+				// https://issues.redhat.com/browse/RHOAIENG-20326
+				// For RawDeployment, we allow the security.opendatahub.io/enable-auth annotation
+				return !utils.Includes(isvcutils.FilterList(p.inferenceServiceConfig.ServiceAnnotationDisallowedList, constants.ODHKserveRawAuth), key)
+			})
+		} else {
+			sRuntimeAnnotations = utils.Filter(sRuntime.ServingRuntimePodSpec.Annotations, func(key string) bool {
+				return !utils.Includes(p.inferenceServiceConfig.ServiceAnnotationDisallowedList, key)
+			})
+		}
 	} else {
 		container = predictor.GetContainer(isvc.ObjectMeta, isvc.Spec.Predictor.GetExtensions(), p.inferenceServiceConfig)
 
@@ -260,11 +279,20 @@ func (p *Predictor) Reconcile(isvc *v1beta1.InferenceService) (ctrl.Result, erro
 	}
 
 	// Labels and annotations from predictor component
-	// Label filter will be handled in ksvc_reconciler
+	// Label filter will be handled in ksvc_reconciler and raw reconciler
 	predictorLabels := isvc.Spec.Predictor.Labels
-	predictorAnnotations := utils.Filter(isvc.Spec.Predictor.Annotations, func(key string) bool {
-		return !utils.Includes(constants.ServiceAnnotationDisallowedList, key)
-	})
+	var predictorAnnotations map[string]string
+	if p.deploymentMode == constants.RawDeployment {
+		predictorAnnotations = utils.Filter(isvc.Spec.Predictor.Annotations, func(key string) bool {
+			// https://issues.redhat.com/browse/RHOAIENG-20326
+			// For RawDeployment, we allow the security.opendatahub.io/enable-auth annotation
+			return !utils.Includes(isvcutils.FilterList(p.inferenceServiceConfig.ServiceAnnotationDisallowedList, constants.ODHKserveRawAuth), key)
+		})
+	} else {
+		predictorAnnotations = utils.Filter(isvc.Spec.Predictor.Annotations, func(key string) bool {
+			return !utils.Includes(p.inferenceServiceConfig.ServiceAnnotationDisallowedList, key)
+		})
+	}
 
 	// Labels and annotations priority: predictor component > isvc > ServingRuntimePodSpec
 	// Labels and annotations from high priority will overwrite that from low priority
@@ -368,7 +396,7 @@ func (p *Predictor) Reconcile(isvc *v1beta1.InferenceService) (ctrl.Result, erro
 	} else {
 		podLabelKey = constants.RevisionLabel
 		r := knative.NewKsvcReconciler(p.client, p.scheme, objectMeta, &isvc.Spec.Predictor.ComponentExtensionSpec,
-			&podSpec, isvc.Status.Components[v1beta1.PredictorComponent])
+			&podSpec, isvc.Status.Components[v1beta1.PredictorComponent], p.inferenceServiceConfig.ServiceLabelDisallowedList)
 		if err := controllerutil.SetControllerReference(isvc, r.Service, p.scheme); err != nil {
 			return ctrl.Result{}, errors.Wrapf(err, "fails to set owner reference for predictor")
 		}