trustyai-explainability · RobGeada · Sep 22, 2025 · Oct 6, 2025
diff --git a/PROJECT b/PROJECT
@@ -51,4 +51,13 @@ resources:
   kind: GuardrailsOrchestrator
   path: github.com/trustyai-explainability/trustyai-service-operator/api/gorch/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: opendatahub.io
+  group: trustyai
+  kind: NemoGuardrails
+  path: github.com/trustyai-explainability/trustyai-service-operator/api/nemo/v1alpha1
+  version: v1alpha1
 version: "3"
diff --git a/api/common/ca_bundle.go b/api/common/ca_bundle.go
@@ -0,0 +1,38 @@
+package common
+
+// CABundleConfig defines the CA bundle configuration for custom certificates
+type CABundleConfig struct {
+	// ConfigMapName is the name of the ConfigMap containing CA bundle certificates
+	ConfigMapName string `json:"configMapName"`
+	// ConfigMapNamespace is the namespace of the ConfigMap (defaults to the same namespace as the CR)
+	// +optional
+	ConfigMapNamespace string `json:"configMapNamespace,omitempty"`
+	// ConfigMapKeys specifies multiple keys within the ConfigMap containing CA bundle data
+	// All certificates from these keys will be concatenated into a single CA bundle file
+	// If not specified, defaults to [DefaultCABundleKey]
+	// +optional
+	// +kubebuilder:validation:MaxItems=50
+	// +kubebuilder:validation:Items:Pattern="^[a-zA-Z0-9]([a-zA-Z0-9\\-_.]*[a-zA-Z0-9])?$"
+	// +kubebuilder:validation:Items:MaxLength=253
+	ConfigMapKeys []string `json:"configMapKeys,omitempty"`
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CABundleConfig) DeepCopyInto(out *CABundleConfig) {
+	*out = *in
+	if in.ConfigMapKeys != nil {
+		in, out := &in.ConfigMapKeys, &out.ConfigMapKeys
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CABundleConfig.
+func (in *CABundleConfig) DeepCopy() *CABundleConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(CABundleConfig)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/api/common/condition.go b/api/common/condition.go
@@ -0,0 +1,27 @@
+package common
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type Condition struct {
+	Type string `json:"type" description:"type of condition ie. Available|Progressing|Degraded."`
+
+	Status corev1.ConditionStatus `json:"status" description:"status of the condition, one of True, False, Unknown"`
+
+	// +optional
+	Reason string `json:"reason,omitempty" description:"one-word CamelCase reason for the condition's last transition"`
+
+	// +optional
+	Message string `json:"message,omitempty" description:"human-readable message indicating details about last transition"`
+
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime" description:"last time the condition transit from one status to another"`
+}
+
+// DeepCopyInto copies all properties of this object into another object of the same type.
+func (in *Condition) DeepCopyInto(out *Condition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+}
diff --git a/api/nemo/v1alpha1/groupversion_info.go b/api/nemo/v1alpha1/groupversion_info.go
@@ -0,0 +1,36 @@
+/*
+Copyright 2023.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains API Schema definitions for the trustyai v1alpha1 API group
+// +kubebuilder:object:generate=true
+// +groupName=trustyai.opendatahub.io
+package v1alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects
+	GroupVersion = schema.GroupVersion{Group: "trustyai.opendatahub.io", Version: "v1alpha1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)
diff --git a/api/nemo/v1alpha1/nemoguardrails_types.go b/api/nemo/v1alpha1/nemoguardrails_types.go
@@ -0,0 +1,87 @@
+/*
+Copyright 2023.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"github.com/trustyai-explainability/trustyai-service-operator/api/common"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// NemoGuardrailsSpec defines the desired state of NemoGuardrails
+type NemoGuardrailsSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// NemoConfig should be the name of the configmap containing the NeMO server configuration
+	NemoConfig     string                 `json:"nemoConfig,omitempty"`
+	CABundleConfig *common.CABundleConfig `json:"caBundleConfig,omitempty"`
+	// Define Env information for the main container
+	// +optional
+	Env []corev1.EnvVar `json:"env,omitempty"`
+}
+
+type CAStatus struct {
+	ODHTrustedCAFound       bool   `json:"odhTrustedCAFound"`
+	ODHTrustedCAError       string `json:"odhTrustedCAError,omitempty"`
+	OpenshiftServingCAFound bool   `json:"openshiftServingCAFound"`
+	OpenshiftServingCAError string `json:"openshiftServingCAError,omitempty"`
+	UserCAFound             bool   `json:"userCAFound,omitempty"`
+	UserCAError             string `json:"userCAError,omitempty"`
+}
+
+// NemoGuardrailStatus defines the observed state of NemoGuardrails
+type NemoGuardrailStatus struct {
+	Phase string `json:"phase,omitempty"`
+
+	// Conditions describes the state of the NemoGuardrails resource.
+	// +optional
+	Conditions []common.Condition `json:"conditions,omitempty"`
+	// CA describes the status of the CA configmaps
+	// +optional
+	CA *CAStatus `json:"ca,omitempty"`
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// NemoGuardrails is the Schema for the nemoguardrails API
+type NemoGuardrails struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   NemoGuardrailsSpec  `json:"spec,omitempty"`
+	Status NemoGuardrailStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// NemoGuardrailsList contains a list of NemoGuardrails
+type NemoGuardrailsList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []NemoGuardrails `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&NemoGuardrails{}, &NemoGuardrailsList{})
+}
diff --git a/api/nemo/v1alpha1/zz_generated.deepcopy.go b/api/nemo/v1alpha1/zz_generated.deepcopy.go
diff --git a/cmd/main.go b/cmd/main.go
@@ -19,6 +19,7 @@ package main
 import (
 	"flag"
 	"fmt"
+	nemov1alpha1 "github.com/trustyai-explainability/trustyai-service-operator/api/nemo/v1alpha1"
 	"os"
 
 	kservev1alpha1 "github.com/kserve/kserve/pkg/apis/serving/v1alpha1"
@@ -67,6 +68,7 @@ func init() {
 	utilruntime.Must(apiextensionsv1.AddToScheme(scheme))
 	utilruntime.Must(kueuev1beta1.AddToScheme(scheme))
 	utilruntime.Must(gorchv1alpha1.AddToScheme(scheme))
+	utilruntime.Must(nemov1alpha1.AddToScheme(scheme))
 	//+kubebuilder:scaffold:scheme
 }
 

diff --git a/config/base/params.env b/config/base/params.env
@@ -13,4 +13,5 @@ lmes-allow-online=true
 lmes-allow-code-execution=true
 guardrails-orchestrator-image=quay.io/trustyai/ta-guardrails-orchestrator:latest
 guardrails-built-in-detector-image=quay.io/trustyai/guardrails-detector-built-in:latest
-guardrails-sidecar-gateway-image=quay.io/trustyai/guardrails-sidecar-gateway:latest
+guardrails-sidecar-gateway-image=quay.io/trustyai/guardrails-sidecar-gateway:latest
+nemo-guardrails-image=quay.io/trustyai/nemo-guardrails-server:latest