From ae0ce95e65dc601fca80e8d3c75115ea2da92bba Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Wed, 5 Jul 2023 11:53:50 +0100 Subject: [PATCH 1/3] Add TrustyAI operator to ODH --- kfdef/odh-core.yaml | 5 + kfdef/trustyai.yaml | 20 -- tests/basictests/trustyai.sh | 166 ++++++++------- tests/resources/trustyai/model.yaml | 13 -- tests/resources/trustyai/service_account.yaml | 17 -- tests/resources/trustyai/trustyai_crd.yaml | 18 ++ .../trustyai/trustyai_operator_configmap.yaml | 7 + .../trustyai/trustyai_operator_kfdef.yaml | 15 ++ tests/setup/odh-core.yaml | 4 +- .../OWNERS | 0 trustyai-service-operator/README.md | 141 +++++++++++++ .../base/kustomization.yaml | 73 +++++++ .../base/manager_auth_proxy_patch.yaml | 55 +++++ .../base/manager_config_patch.yaml | 10 + ...styai.opendatahub.io_trustyaiservices.yaml | 122 +++++++++++ .../crd/kustomization.yaml | 21 ++ .../crd/kustomizeconfig.yaml | 19 ++ .../cainjection_in_trustyaiservices.yaml | 7 + .../patches/webhook_in_trustyaiservices.yaml | 16 ++ .../manager/kustomization.yaml | 8 + .../manager/manager.yaml | 100 +++++++++ .../manifests/kustomization.yaml | 27 +++ .../prometheus/kustomization.yaml | 2 + .../prometheus/monitor.yaml | 26 +++ .../rbac/auth_proxy_client_clusterrole.yaml | 16 ++ .../rbac/auth_proxy_role.yaml | 24 +++ .../rbac/auth_proxy_role_binding.yaml | 19 ++ .../rbac/auth_proxy_service.yaml | 21 ++ .../rbac/kustomization.yaml | 18 ++ .../rbac/leader_election_role.yaml | 44 ++++ .../rbac/leader_election_role_binding.yaml | 19 ++ trustyai-service-operator/rbac/role.yaml | 155 ++++++++++++++ .../rbac/role_binding.yaml | 19 ++ .../rbac/service_account.yaml | 12 ++ .../rbac/trustyaiservice_editor_role.yaml | 31 +++ .../rbac/trustyaiservice_viewer_role.yaml | 27 +++ .../samples/kustomization.yaml | 4 + ...endatahub.io_v1alpha1_trustyaiservice.yaml | 12 ++ .../scorecard/bases/config.yaml | 7 + .../scorecard/kustomization.yaml | 16 ++ .../scorecard/patches/basic.config.yaml | 10 + .../scorecard/patches/olm.config.yaml | 50 +++++ trustyai-service/README.md | 38 ---- trustyai-service/base/kustomization.yaml | 11 - trustyai-service/base/pvc.yaml | 11 - trustyai-service/base/route.yaml | 17 -- trustyai-service/base/trustyai-configmap.yaml | 12 -- trustyai-service/default/kustomization.yaml | 4 - .../default/trustyai-deployment.yaml | 193 ------------------ .../servicemonitors/kustomization.yaml | 4 - .../servicemonitors/trustyai-metrics.yaml | 30 --- 51 files changed, 1265 insertions(+), 451 deletions(-) delete mode 100644 kfdef/trustyai.yaml delete mode 100644 tests/resources/trustyai/model.yaml delete mode 100644 tests/resources/trustyai/service_account.yaml create mode 100644 tests/resources/trustyai/trustyai_crd.yaml create mode 100644 tests/resources/trustyai/trustyai_operator_configmap.yaml create mode 100644 tests/resources/trustyai/trustyai_operator_kfdef.yaml rename {trustyai-service => trustyai-service-operator}/OWNERS (100%) create mode 100644 trustyai-service-operator/README.md create mode 100644 trustyai-service-operator/base/kustomization.yaml create mode 100644 trustyai-service-operator/base/manager_auth_proxy_patch.yaml create mode 100644 trustyai-service-operator/base/manager_config_patch.yaml create mode 100644 trustyai-service-operator/crd/bases/trustyai.opendatahub.io.trustyai.opendatahub.io_trustyaiservices.yaml create mode 100644 trustyai-service-operator/crd/kustomization.yaml create mode 100644 trustyai-service-operator/crd/kustomizeconfig.yaml create mode 100644 trustyai-service-operator/crd/patches/cainjection_in_trustyaiservices.yaml create mode 100644 trustyai-service-operator/crd/patches/webhook_in_trustyaiservices.yaml create mode 100644 trustyai-service-operator/manager/kustomization.yaml create mode 100644 trustyai-service-operator/manager/manager.yaml create mode 100644 trustyai-service-operator/manifests/kustomization.yaml create mode 100644 trustyai-service-operator/prometheus/kustomization.yaml create mode 100644 trustyai-service-operator/prometheus/monitor.yaml create mode 100644 trustyai-service-operator/rbac/auth_proxy_client_clusterrole.yaml create mode 100644 trustyai-service-operator/rbac/auth_proxy_role.yaml create mode 100644 trustyai-service-operator/rbac/auth_proxy_role_binding.yaml create mode 100644 trustyai-service-operator/rbac/auth_proxy_service.yaml create mode 100644 trustyai-service-operator/rbac/kustomization.yaml create mode 100644 trustyai-service-operator/rbac/leader_election_role.yaml create mode 100644 trustyai-service-operator/rbac/leader_election_role_binding.yaml create mode 100644 trustyai-service-operator/rbac/role.yaml create mode 100644 trustyai-service-operator/rbac/role_binding.yaml create mode 100644 trustyai-service-operator/rbac/service_account.yaml create mode 100644 trustyai-service-operator/rbac/trustyaiservice_editor_role.yaml create mode 100644 trustyai-service-operator/rbac/trustyaiservice_viewer_role.yaml create mode 100644 trustyai-service-operator/samples/kustomization.yaml create mode 100644 trustyai-service-operator/samples/trustyai.opendatahub.io_v1alpha1_trustyaiservice.yaml create mode 100644 trustyai-service-operator/scorecard/bases/config.yaml create mode 100644 trustyai-service-operator/scorecard/kustomization.yaml create mode 100644 trustyai-service-operator/scorecard/patches/basic.config.yaml create mode 100644 trustyai-service-operator/scorecard/patches/olm.config.yaml delete mode 100644 trustyai-service/README.md delete mode 100644 trustyai-service/base/kustomization.yaml delete mode 100644 trustyai-service/base/pvc.yaml delete mode 100644 trustyai-service/base/route.yaml delete mode 100644 trustyai-service/base/trustyai-configmap.yaml delete mode 100644 trustyai-service/default/kustomization.yaml delete mode 100644 trustyai-service/default/trustyai-deployment.yaml delete mode 100644 trustyai-service/servicemonitors/kustomization.yaml delete mode 100644 trustyai-service/servicemonitors/trustyai-metrics.yaml diff --git a/kfdef/odh-core.yaml b/kfdef/odh-core.yaml index aebedeb06..16223cdcc 100644 --- a/kfdef/odh-core.yaml +++ b/kfdef/odh-core.yaml @@ -55,6 +55,11 @@ spec: name: manifests path: data-science-pipelines-operator/ name: data-science-pipelines-operator + - kustomizeConfig: + repoRef: + name: manifests + path: trustyai-service-operator + name: trustyai-service-operator repos: - name: manifests uri: https://github.com/opendatahub-io/odh-manifests/tarball/master diff --git a/kfdef/trustyai.yaml b/kfdef/trustyai.yaml deleted file mode 100644 index 7de257a53..000000000 --- a/kfdef/trustyai.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: kfdef.apps.kubeflow.org/v1 -kind: KfDef -metadata: - name: odh-trustyai -spec: - applications: - - kustomizeConfig: - repoRef: - name: manifests - path: odh-common - name: odh-common - - kustomizeConfig: - repoRef: - name: manifests - path: trustyai-service - name: trustyai - repos: - - name: manifests - uri: https://github.com/opendatahub-io/odh-manifests/tarball/master - version: master \ No newline at end of file diff --git a/tests/basictests/trustyai.sh b/tests/basictests/trustyai.sh index a25949b08..dd7b0eb52 100755 --- a/tests/basictests/trustyai.sh +++ b/tests/basictests/trustyai.sh @@ -9,77 +9,78 @@ RESOURCEDIR="${MY_DIR}/../resources" TEST_USER=${OPENSHIFT_TESTUSER_NAME:-"admin"} #Username used to login to the ODH Dashboard TEST_PASS=${OPENSHIFT_TESTUSER_PASS:-"admin"} #Password used to login to the ODH Dashboard -OPENSHIFT_OAUTH_ENDPOINT="https://$(oc get route -n openshift-authentication oauth-openshift -o json | jq -r '.spec.host')" -MM_NAMESPACE="${ODHPROJECT}-model" +MM_NAMESPACE="${ODHPROJECT}-model" -os::test::junit::declare_suite_start "$MY_SCRIPT" +# trackers of test successes +REQUESTS_CREATED=false +FAILURE=false +FAILURE_HANDLING='FAILURE=true && echo -e "\033[0;31mERROR\033[0m"' -function get_authentication(){ - header "Getting authentication credentials to cluster" - oc adm policy add-role-to-user view -n ${ODHPROJECT} --rolebinding-name "view-$TEST_USER" $TEST_USER - TESTUSER_BEARER_TOKEN="$(curl -kiL -u $TEST_USER:$TEST_PASS -H 'X-CSRF-Token: xxx' $OPENSHIFT_OAUTH_ENDPOINT'/oauth/authorize?response_type=token&client_id=openshift-challenging-client' | grep -oP 'access_token=\K[^&]*')" -} -function check_trustyai_resources() { - header "Checking that TrustyAI resources have spun up" - oc project $ODHPROJECT - os::cmd::try_until_text "oc get deployment modelmesh-controller" "modelmesh-controller" $odhdefaulttimeout $odhdefaultinterval - os::cmd::try_until_text "oc get deployment trustyai-service" "trustyai-service" $odhdefaulttimeout $odhdefaultinterval - os::cmd::try_until_text "oc get route trustyai-service-route" "trustyai-service-route" $odhdefaulttimeout $odhdefaultinterval +os::test::junit::declare_suite_start "$MY_SCRIPT" - oc wait --for=condition=Ready $(oc get pod -o name | grep trustyai) --timeout=${odhdefaulttimeout}ms +function setup_monitoring() { + header "Enabling User Workload Monitoring on the cluster" + oc apply -f ${RESOURCEDIR}/modelmesh/enable-uwm.yaml || eval "$FAILURE_HANDLING" } function deploy_model() { header "Deploying model into ModelMesh" - oc new-project $MM_NAMESPACE - os::cmd::expect_success "oc project $MM_NAMESPACE" - os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/modelmesh/service_account.yaml -n ${MM_NAMESPACE}" + oc new-project $MM_NAMESPACE || true + + os::cmd::expect_success "oc project $MM_NAMESPACE" || eval "$FAILURE_HANDLING" + os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/modelmesh/service_account.yaml -n ${MM_NAMESPACE}" || eval "$FAILURE_HANDLING" oc label namespace $MM_NAMESPACE "modelmesh-enabled=true" --overwrite=true || echo "Failed to apply modelmesh-enabled label." - os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/trustyai/secret.yaml -n ${MM_NAMESPACE}" - os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/trustyai/odh-mlserver-0.x.yaml -n ${MM_NAMESPACE}" -# os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/trustyai/model.yaml -n ${MM_NAMESPACE}" + os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/trustyai/secret.yaml -n ${MM_NAMESPACE}" || eval "$FAILURE_HANDLING" + os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/trustyai/odh-mlserver-0.x.yaml -n ${MM_NAMESPACE}" || eval "$FAILURE_HANDLING" SECRETKEY=$(openssl rand -hex 32) - sed -i "s//$SECRETKEY/g" ${RESOURCEDIR}/trustyai/sample-minio.yaml - os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/trustyai/sample-minio.yaml -n ${MM_NAMESPACE}" - #os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/trustyai/openvino-serving-runtime.yaml -n ${MM_NAMESPACE}" - os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/trustyai/openvino-inference-service.yaml -n ${MM_NAMESPACE}" - sleep 30 + sed -i "s//$SECRETKEY/g" ${RESOURCEDIR}/trustyai/sample-minio.yaml || eval "$FAILURE_HANDLING" + os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/trustyai/sample-minio.yaml -n ${MM_NAMESPACE}" || eval "$FAILURE_HANDLING" + os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/trustyai/openvino-inference-service.yaml -n ${MM_NAMESPACE}" || eval "$FAILURE_HANDLING" + os::cmd::expect_success "oc apply -f ${RESOURCEDIR}/trustyai/trustyai_crd.yaml -n ${MM_NAMESPACE}" || eval "$FAILURE_HANDLING" +} +function check_trustyai_resources() { + header "Checking that TrustyAI resources have spun up" + oc project $MM_NAMESPACE || eval "$FAILURE_HANDLING" + + os::cmd::try_until_text "oc get deployment trustyai-service" "trustyai-service" $odhdefaulttimeout $odhdefaultinterval || eval "$FAILURE_HANDLING" + os::cmd::try_until_text "oc get route trustyai-service-route" "trustyai-service-route" $odhdefaulttimeout $odhdefaultinterval || eval "$FAILURE_HANDLING" + os::cmd::try_until_text "oc get pod | grep trustyai-service" "1/1" $odhdefaulttimeout $odhdefaultinterval || eval "$FAILURE_HANDLING" } function check_mm_resources() { header "Checking that ModelMesh resources have spun up" - oc project $MM_NAMESPACE + oc project $MM_NAMESPACE || eval "$FAILURE_HANDLING" + + os::cmd::try_until_text "oc get pod | grep modelmesh-serving" "5/5" $odhdefaulttimeout $odhdefaultinterval || eval "$FAILURE_HANDLING" os::cmd::try_until_text "oc get route example-sklearn-isvc" "example-sklearn-isvc" $odhdefaulttimeout $odhdefaultinterval - INFER_ROUTE=$(oc get route example-sklearn-isvc --template={{.spec.host}}{{.spec.path}}) - token=$(oc create token user-one -n ${MM_NAMESPACE}) - os::cmd::try_until_text "oc get pod | grep modelmesh-serving" "5/5" $odhdefaulttimeout $odhdefaultinterval - os::cmd::try_until_text "curl -k https://$INFER_ROUTE/infer -d @${RESOURCEDIR}/trustyai/data.json -H 'Authorization: Bearer $token' -i" "model_name" + INFER_ROUTE=$(oc get route example-sklearn-isvc --template={{.spec.host}}{{.spec.path}}) || eval "$FAILURE_HANDLING" + token=$(oc create token user-one -n ${MM_NAMESPACE}) || eval "$FAILURE_HANDLING" + os::cmd::try_until_text "curl -k https://$INFER_ROUTE/infer -d @${RESOURCEDIR}/trustyai/data.json -H 'Authorization: Bearer $token' -i" "model_name" || eval "$FAILURE_HANDLING" } function check_communication(){ header "Check communication between TrustyAI and ModelMesh" - oc project $MM_NAMESPACE + oc project $MM_NAMESPACE || eval "$FAILURE_HANDLING" # send some data to modelmesh - os::cmd::expect_success_and_text "curl -k https://$INFER_ROUTE/infer -d @${RESOURCEDIR}/trustyai/data.json -H 'Authorization: Bearer $token' -i" "model_name" - oc project ${ODHPROJECT} - os::cmd::try_until_text "oc logs $(oc get pods -o name | grep trustyai-service)" "Received partial input payload" $odhdefaulttimeout $odhdefaultinterval + os::cmd::expect_success_and_text "curl -k https://$INFER_ROUTE/infer -d @${RESOURCEDIR}/trustyai/data.json -H 'Authorization: Bearer $token' -i" "model_name" || eval "$FAILURE_HANDLING" + os::cmd::try_until_text "oc logs $(oc get pods -o name | grep trustyai-service)" "Received partial input payload" $odhdefaulttimeout $odhdefaultinterval || eval "$FAILURE_HANDLING" } function generate_data(){ header "Generate some data for TrustyAI (this will take a sec)" - oc project $MM_NAMESPACE + oc project $MM_NAMESPACE || eval "$FAILURE_HANDLING" # send a bunch of random data to the model DIVISOR=128.498 # divide bash's $RANDOM by this to get a float range of [0.,255.], for MNIST for i in {1..500}; do - DATA=$(sed "s/\[40.83, 3.5, 0.5, 0\]/\[$(($RANDOM % 2)),$(($RANDOM / 128)),$(($RANDOM / 128)), $(($RANDOM / 128)) \]/" ${RESOURCEDIR}/trustyai/data.json) + DATA=$(sed "s/\[40.83, 3.5, 0.5, 0\]/\[$(($RANDOM % 2)),$(($RANDOM / 128)),$(($RANDOM / 128)), $(($RANDOM / 128)) \]/" ${RESOURCEDIR}/trustyai/data.json) || eval "$FAILURE_HANDLING" curl -k https://$INFER_ROUTE/infer -d "$DATA" -H 'Authorization: Bearer $token' -i > /dev/null 2>&1 & sleep .01 done @@ -87,66 +88,73 @@ function generate_data(){ function schedule_and_check_request(){ header "Create a metric request and confirm calculation" - oc project $ODHPROJECT - TRUSTY_ROUTE=$(oc get route/trustyai --template={{.spec.host}}) + oc project $MM_NAMESPACE + + TRUSTY_ROUTE=https://$(oc get route/trustyai-service --template={{.spec.host}}) || eval "$FAILURE_HANDLING" - os::cmd::expect_success_and_text "curl --location http://$TRUSTY_ROUTE/metrics/spd/request \ + os::cmd::expect_success_and_text "curl -k --location $TRUSTY_ROUTE/metrics/spd/request \ --header 'Content-Type: application/json' \ --data '{ \"modelId\": \"example-sklearn-isvc\", - \"protectedAttribute\": \"input-0\", - \"favorableOutcome\": { - \"type\": \"INT64\", - \"value\": 0.0 - }, - \"outcomeName\": \"output-0\", - \"privilegedAttribute\": { - \"type\": \"DOUBLE\", - \"value\": 0.0 - }, - \"unprivilegedAttribute\": { - \"type\": \"DOUBLE\", - \"value\": 1.0 - } - }'" "requestId" - os::cmd::try_until_text "curl http://$TRUSTY_ROUTE/q/metrics" "trustyai_spd" + \"protectedAttribute\": \"predict-0\", + \"favorableOutcome\": 0, + \"outcomeName\": \"predict\", + \"privilegedAttribute\": 0.0, + \"unprivilegedAttribute\": 1.0 + }'" "requestId" || eval "$FAILURE_HANDLING" + os::cmd::try_until_text "curl -k $TRUSTY_ROUTE/q/metrics" "trustyai_spd" || eval "$FAILURE_HANDLING" + REQUESTS_CREATED=true; } function test_prometheus_scraping(){ header "Ensure metrics are in Prometheus" - MODEL_MONITORING_ROUTE=$(oc get route -n ${ODHPROJECT} odh-model-monitoring --template={{.spec.host}}) - os::cmd::try_until_text "curl -k --location -g --request GET 'https://'$MODEL_MONITORING_ROUTE'//api/v1/query?query=trustyai_spd' -H 'Authorization: Bearer $TESTUSER_BEARER_TOKEN' -i" "value" $odhdefaulttimeout $odhdefaultinterval + + SECRET=`oc get secret -n openshift-user-workload-monitoring | grep prometheus-user-workload-token | head -n 1 | awk '{print $1 }'` || eval "$FAILURE_HANDLING" + TOKEN=`echo $(oc get secret $SECRET -n openshift-user-workload-monitoring -o json | jq -r '.data.token') | base64 -d` || eval "$FAILURE_HANDLING" + THANOS_QUERIER_HOST=`oc get route thanos-querier -n openshift-monitoring -o json | jq -r '.spec.host'` || eval "$FAILURE_HANDLING" + os::cmd::try_until_text "curl -X GET -kG \"https://$THANOS_QUERIER_HOST/api/v1/query?\" --data-urlencode \"query=trustyai_spd{namespace='opendatahub-model'}\" -H 'Authorization: Bearer $TOKEN' | jq '.data.result[0].metric.protected'" "predict-0" $odhdefaulttimeout $odhdefaultinterval || eval "$FAILURE_HANDLING" } function teardown_trustyai_test() { header "Cleaning up the TrustyAI test" - oc project $ODHPROJECT - - REQUEST_ID="$(curl http://$TRUSTY_ROUTE/metrics/spd/requests | jq '.requests [0].id')" - os::cmd::expect_success_and_text "curl -X DELETE --location http://$TRUSTY_ROUTE/metrics/spd/request \ - -H 'Content-Type: application/json' \ - -d '{ - \"requestId\": \"'"$REQUEST_ID"'\" - }'" "Removed" + oc project $MM_NAMESPACE || eval "$FAILURE_HANDLING" + TRUSTY_ROUTE=http://$(oc get route/trustyai-service --template={{.spec.host}}) || eval "$FAILURE_HANDLING" - oc project $MM_NAMESPACE - os::cmd::expect_success "oc delete -f ${RESOURCEDIR}/trustyai/secret.yaml" - os::cmd::expect_success "oc delete -f ${RESOURCEDIR}/trustyai/odh-mlserver-0.x.yaml" - os::cmd::expect_success "oc delete -f ${RESOURCEDIR}/trustyai/model.yaml" - os::cmd::expect_success "oc delete project $MM_NAMESPACE" + if [ $REQUESTS_CREATED = true ]; then + for METRIC_NAME in "spd" "dir" + do + curl -sk $TRUSTY_ROUTE/metrics/$METRIC_NAME/requests + for REQUEST in $(curl -sk $TRUSTY_ROUTE/metrics/$METRIC_NAME/requests | jq -r '.requests [].id') + do + echo -n $REQUEST": " + curl -k -X DELETE --location $TRUSTY_ROUTE/metrics/$METRIC_NAME/request \ + -H 'Content-Type: application/json' \ + -d "{ + \"requestId\": \"$REQUEST\" + }" + echo + done + done + fi + os::cmd::expect_success "oc delete -f ${RESOURCEDIR}/trustyai/secret.yaml" || eval "$FAILURE_HANDLING" + os::cmd::expect_success "oc delete -f ${RESOURCEDIR}/trustyai/odh-mlserver-0.x.yaml" || eval "$FAILURE_HANDLING" + os::cmd::expect_success "oc delete -f ${RESOURCEDIR}/trustyai/trustyai_crd.yaml" || eval "$FAILURE_HANDLING" + os::cmd::expect_success "oc delete project $MM_NAMESPACE" || eval "$FAILURE_HANDLING" } -get_authentication -deploy_model -check_mm_resources -check_communication -generate_data -schedule_and_check_request -test_prometheus_scraping +setup_monitoring +[ $FAILURE = false ] && deploy_model || echo -e "\033[0;31mSkipping model deployment due to previous failure\033[0m" +[ $FAILURE = false ] && check_trustyai_resources || echo -e "\033[0;31mSkipping TrustyAI resource check due to previous failure\033[0m" +[ $FAILURE = false ] && check_mm_resources || echo -e "\033[0;31mSkipping ModelMesh resource check due to previous failure\033[0m" +[ $FAILURE = false ] && check_communication || echo -e "\033[0;31mSkipping ModelMesh-TrustyAI communication check due to previous failure\033[0m" +[ $FAILURE = false ] && generate_data || echo -e "\033[0;31mSkipping data generation due to previous failure\033[0m" +[ $FAILURE = false ] && schedule_and_check_request || echo -e "\033[0;31mSkipping metric scheduling due to previous failure\033[0m" +[ $FAILURE = false ] && test_prometheus_scraping || echo -e "\033[0;31mSkipping Prometheus data check due to previous failure\033[0m" teardown_trustyai_test +[ $FAILURE = true ] && os::cmd::expect_success "echo 'A previous assertion failed, marking suite as failed' && exit 1" -os::test::junit::declare_suite_end +os::test::junit::declare_suite_end \ No newline at end of file diff --git a/tests/resources/trustyai/model.yaml b/tests/resources/trustyai/model.yaml deleted file mode 100644 index c9b9dbfa1..000000000 --- a/tests/resources/trustyai/model.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: serving.kserve.io/v1beta1 -kind: InferenceService -metadata: - name: example-sklearn-isvc - annotations: - serving.kserve.io/deploymentMode: ModelMesh -spec: - predictor: - model: - modelFormat: - name: sklearn - runtime: mlserver-0.x - storageUri: "https://github.com/trustyai-explainability/trustyai-explainability/raw/main/explainability-service/demo/models/model.joblib?raw=true" \ No newline at end of file diff --git a/tests/resources/trustyai/service_account.yaml b/tests/resources/trustyai/service_account.yaml deleted file mode 100644 index 7977ca1d8..000000000 --- a/tests/resources/trustyai/service_account.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: user-one - ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: user-one-view -subjects: - - kind: ServiceAccount - name: user-one -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: view diff --git a/tests/resources/trustyai/trustyai_crd.yaml b/tests/resources/trustyai/trustyai_crd.yaml new file mode 100644 index 000000000..b404fcfbe --- /dev/null +++ b/tests/resources/trustyai/trustyai_crd.yaml @@ -0,0 +1,18 @@ +apiVersion: trustyai.opendatahub.io.trustyai.opendatahub.io/v1alpha1 +kind: TrustyAIService +metadata: + name: trustyai-service +spec: + # Optional values for replicas, image and tag. Below are the default values. + # replicas: 1 + # image: quay.io/trustyaiservice/trustyai-service + # tag: latest + storage: + format: "PVC" + folder: "/inputs" + size: "1Gi" + data: + filename: "data.csv" + format: "CSV" + metrics: + schedule: "5s" \ No newline at end of file diff --git a/tests/resources/trustyai/trustyai_operator_configmap.yaml b/tests/resources/trustyai/trustyai_operator_configmap.yaml new file mode 100644 index 000000000..9dc9d37aa --- /dev/null +++ b/tests/resources/trustyai/trustyai_operator_configmap.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: trustyai-service-operator-config +data: + trustyaiServiceImageName: "quay.io/trustyai/trustyai-service" + trustyaiServiceImageTag: "latest" \ No newline at end of file diff --git a/tests/resources/trustyai/trustyai_operator_kfdef.yaml b/tests/resources/trustyai/trustyai_operator_kfdef.yaml new file mode 100644 index 000000000..d9970a9c7 --- /dev/null +++ b/tests/resources/trustyai/trustyai_operator_kfdef.yaml @@ -0,0 +1,15 @@ +apiVersion: kfdef.apps.kubeflow.org/v1 +kind: KfDef +metadata: + name: trustyai-service-operator +spec: + applications: + - kustomizeConfig: + repoRef: + name: manifests + path: trustyai-service-operator + name: trustyai-service-operator + repos: + - name: manifests + uri: https://github.com/trustyai-explainability/trustyai-service-operator/tarball/main + version: v1.0.0 \ No newline at end of file diff --git a/tests/setup/odh-core.yaml b/tests/setup/odh-core.yaml index a3c612e28..226973464 100644 --- a/tests/setup/odh-core.yaml +++ b/tests/setup/odh-core.yaml @@ -55,8 +55,8 @@ spec: - kustomizeConfig: repoRef: name: manifests - path: trustyai-service - name: trustyai + path: trustyai-service-operator + name: trustyai-service-operator - kustomizeConfig: repoRef: name: manifests diff --git a/trustyai-service/OWNERS b/trustyai-service-operator/OWNERS similarity index 100% rename from trustyai-service/OWNERS rename to trustyai-service-operator/OWNERS diff --git a/trustyai-service-operator/README.md b/trustyai-service-operator/README.md new file mode 100644 index 000000000..6bc47e267 --- /dev/null +++ b/trustyai-service-operator/README.md @@ -0,0 +1,141 @@ +[![Controller Tests](https://github.com/trustyai-explainability/trustyai-service-operator/actions/workflows/controller-tests.yaml/badge.svg)](https://github.com/trustyai-explainability/trustyai-service-operator/actions/workflows/controller-tests.yaml) +# TrustyAI Kubernetes Operator + +## Overview + +The TrustyAI Kubernetes Operator aims at simplifying the deployment and management of the [TrustyAI service](https://github.com/trustyai-explainability/trustyai-explainability/tree/main/explainability-service) on Kubernetes and OpenShift clusters by watching for custom resources of kind `TrustyAIService` in the `trustyai.opendatahub.io` API group and manages deployments, services, and optionally, routes and `ServiceMonitors` corresponding to these resources. + +The operator ensures the service is properly configured, is discoverable by Prometheus for metrics scraping (on both Kubernetes and OpenShift), and is accessible via a Route on OpenShift. + +## Prerequisites + +- Kubernetes cluster v1.19+ or OpenShift cluster v4.6+ +- `kubectl` v1.19+ or `oc` client v4.6+ + +## Installation using pre-built Operator image + +This operator is available as an [image on Quay.io](https://quay.io/repository/trustyai/trustyai-service-operator?tab=history). +To deploy it on your cluster: + +1. **Install the Custom Resource Definition (CRD):** + + Apply the CRD to your cluster (replace the URL with the relevant one, if using another repository): + + ```bash + kubectl apply -f https://raw.githubusercontent.com/trustyai-explainability/trustyai-service-operator/main/config/crd/bases/trustyai.opendatahub.io.trustyai.opendatahub.io_trustyaiservices.yaml + ``` + +2. **Deploy the Operator:** + + Apply the following Kubernetes manifest to deploy the operator: + + ```yaml + apiVersion: apps/v1 + kind: Deployment + metadata: + name: trustyai-operator + namespace: trustyai-operator-system + spec: + replicas: 1 + selector: + matchLabels: + control-plane: trustyai-operator + template: + metadata: + labels: + control-plane: trustyai-operator + spec: + containers: + - name: trustyai-operator + image: quay.io/trustyai/trustyai-service-operator:latest + command: + - /manager + resources: + limits: + cpu: 100m + memory: 30Mi + requests: + cpu: 100m + memory: 20Mi + ``` + + or run + + ```shell + kubectl apply -f https://raw.githubusercontent.com/trustyai-explainability/trustyai-service-operator/main/artifacts/examples/deploy-operator.yaml + ``` + +## Usage + +Once the operator is installed, you can create `TrustyAIService` resources, and the operator will create corresponding TrustyAI deployments, services, and (on OpenShift) routes. + +Here's an example `TrustyAIService` manifest: + +```yaml +apiVersion: trustyai.opendatahub.io.trusty.opendatahub.io/v1 +kind: TrustyAIService +metadata: + name: trustyai-service-example +spec: + storage: + format: "PVC" + folder: "/inputs" + size: "1Gi" + data: + filename: "data.csv" + format: "CSV" + metrics: + schedule: "5s" + batchSize: 5000 # Optional, defaults to 5000 +``` + +You can apply this manifest with + +```shell +kubectl apply -f -n $NAMESPACE +``` +to create a service, where `$NAMESPACE` is the namespace where you want to deploy it. + + +Additionally, in that namespace: + +* a `ServiceMonitor` will be created to allow Prometheus to scrape metrics from the service. +* (if on OpenShift) a `Route` will be created to allow external access to the service. + +### Custom Image Configuration using ConfigMap + +You can configure the operator to use custom images by creating a `ConfigMap` in the operator's namespace. +The operator only checks the ConfigMap at deployment, so changes made afterward won't trigger a redeployment of services. + +Here's an example of a ConfigMap that specifies a custom image: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: trustyai-service-operator-config +data: + trustyaiServiceImageName: 'quay.io/mycustomrepo/mycustomimage' + trustyaiServiceImageTag: 'v1.0.0' +``` + +You can apply this manifest with the following command, replacing `` with the name of your manifest file: + +```shell +kubectl apply -f -n $OPERATOR_NAMESPACE +``` + +Please ensure the namespace specified is the same as the namespace where you have deployed the operator. + +After the ConfigMap is applied, you can then proceed to deploy the TrustyAI service. +The operator will use the image name and tag specified in the ConfigMap for the deployment. + +If you want to use a different image or tag in the future, you'll need to update the ConfigMap and redeploy the operator to have the changes take effect. The running TrustyAI services won't be redeployed automatically. To use the new image or tag, you'll need to delete and recreate the TrustyAIService resources. + +## Contributing + +Please see the [CONTRIBUTING.md](./CONTRIBUTING.md) file for more details on how to contribute to this project. + +## License + +This project is licensed under the Apache License Version 2.0 - see the [LICENSE](./LICENSE) file for details. \ No newline at end of file diff --git a/trustyai-service-operator/base/kustomization.yaml b/trustyai-service-operator/base/kustomization.yaml new file mode 100644 index 000000000..298fb5f38 --- /dev/null +++ b/trustyai-service-operator/base/kustomization.yaml @@ -0,0 +1,73 @@ +# Adds namespace to all resources. +namespace: trustyai-service-operator-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +namePrefix: trustyai-service-operator- + +# Labels to add to all resources and selectors. +#commonLabels: +# someName: someValue + +resources: +- ../crd +- ../rbac +- ../manager + +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +#- ../webhook +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. +#- ../certmanager +# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. +#- ../prometheus + +patchesStrategicMerge: +# Protect the /metrics endpoint by putting it behind auth. +# If you want your controller-manager to expose the /metrics +# endpoint w/o any authn/z, please comment the following line. +- manager_auth_proxy_patch.yaml + + + +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in +# crd/kustomization.yaml +#- manager_webhook_patch.yaml + +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. +# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. +# 'CERTMANAGER' needs to be enabled to use ca injection +#- webhookcainjection_patch.yaml + +# the following config is for teaching kustomize how to do var substitution +vars: +# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. +#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR +# objref: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +# fieldref: +# fieldpath: metadata.namespace +#- name: CERTIFICATE_NAME +# objref: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +#- name: SERVICE_NAMESPACE # namespace of the service +# objref: +# kind: Service +# version: v1 +# name: webhook-service +# fieldref: +# fieldpath: metadata.namespace +#- name: SERVICE_NAME +# objref: +# kind: Service +# version: v1 +# name: webhook-service diff --git a/trustyai-service-operator/base/manager_auth_proxy_patch.yaml b/trustyai-service-operator/base/manager_auth_proxy_patch.yaml new file mode 100644 index 000000000..b75126616 --- /dev/null +++ b/trustyai-service-operator/base/manager_auth_proxy_patch.yaml @@ -0,0 +1,55 @@ +# This patch inject a sidecar container which is a HTTP proxy for the +# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - ppc64le + - s390x + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - name: kube-rbac-proxy + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 + args: + - "--secure-listen-address=0.0.0.0:8443" + - "--upstream=http://127.0.0.1:8080/" + - "--logtostderr=true" + - "--v=0" + ports: + - containerPort: 8443 + protocol: TCP + name: https + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 5m + memory: 64Mi + - name: manager + args: + - "--health-probe-bind-address=:8081" + - "--metrics-bind-address=127.0.0.1:8080" + - "--leader-elect" diff --git a/trustyai-service-operator/base/manager_config_patch.yaml b/trustyai-service-operator/base/manager_config_patch.yaml new file mode 100644 index 000000000..f6f589169 --- /dev/null +++ b/trustyai-service-operator/base/manager_config_patch.yaml @@ -0,0 +1,10 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system +spec: + template: + spec: + containers: + - name: manager diff --git a/trustyai-service-operator/crd/bases/trustyai.opendatahub.io.trustyai.opendatahub.io_trustyaiservices.yaml b/trustyai-service-operator/crd/bases/trustyai.opendatahub.io.trustyai.opendatahub.io_trustyaiservices.yaml new file mode 100644 index 000000000..e7ee6e7e4 --- /dev/null +++ b/trustyai-service-operator/crd/bases/trustyai.opendatahub.io.trustyai.opendatahub.io_trustyaiservices.yaml @@ -0,0 +1,122 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: trustyaiservices.trustyai.opendatahub.io.trustyai.opendatahub.io +spec: + group: trustyai.opendatahub.io.trustyai.opendatahub.io + names: + kind: TrustyAIService + listKind: TrustyAIServiceList + plural: trustyaiservices + singular: trustyaiservice + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: TrustyAIService is the Schema for the trustyaiservices API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TrustyAIServiceSpec defines the desired state of TrustyAIService + properties: + data: + properties: + filename: + type: string + format: + type: string + required: + - filename + - format + type: object + metrics: + properties: + batchSize: + type: integer + schedule: + type: string + required: + - schedule + type: object + replicas: + description: Number of replicas + format: int32 + type: integer + storage: + properties: + folder: + type: string + format: + type: string + size: + type: string + required: + - folder + - format + - size + type: object + required: + - data + - metrics + - storage + type: object + status: + description: TrustyAIServiceStatus defines the observed state of TrustyAIService + properties: + conditions: + items: + description: Condition represents possible conditions of a TrustyAIServiceStatus + properties: + lastTransitionTime: + format: date-time + type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + phase: + description: Define your status fields here + type: string + ready: + type: string + replicas: + format: int32 + type: integer + required: + - conditions + - phase + - replicas + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/trustyai-service-operator/crd/kustomization.yaml b/trustyai-service-operator/crd/kustomization.yaml new file mode 100644 index 000000000..a0c404aa8 --- /dev/null +++ b/trustyai-service-operator/crd/kustomization.yaml @@ -0,0 +1,21 @@ +# This kustomization.yaml is not intended to be run by itself, +# since it depends on service name and namespace that are out of this kustomize package. +# It should be run by config/default +resources: +- bases/trustyai.opendatahub.io.trustyai.opendatahub.io_trustyaiservices.yaml +#+kubebuilder:scaffold:crdkustomizeresource + +patchesStrategicMerge: +# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. +# patches here are for enabling the conversion webhook for each CRD +#- patches/webhook_in_trustyaiservices.yaml +#+kubebuilder:scaffold:crdkustomizewebhookpatch + +# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. +# patches here are for enabling the CA injection for each CRD +#- patches/cainjection_in_trustyaiservices.yaml +#+kubebuilder:scaffold:crdkustomizecainjectionpatch + +# the following config is for teaching kustomize how to do kustomization for CRDs. +configurations: +- kustomizeconfig.yaml diff --git a/trustyai-service-operator/crd/kustomizeconfig.yaml b/trustyai-service-operator/crd/kustomizeconfig.yaml new file mode 100644 index 000000000..ec5c150a9 --- /dev/null +++ b/trustyai-service-operator/crd/kustomizeconfig.yaml @@ -0,0 +1,19 @@ +# This file is for teaching kustomize how to substitute name and namespace reference in CRD +nameReference: +- kind: Service + version: v1 + fieldSpecs: + - kind: CustomResourceDefinition + version: v1 + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/name + +namespace: +- kind: CustomResourceDefinition + version: v1 + group: apiextensions.k8s.io + path: spec/conversion/webhook/clientConfig/service/namespace + create: false + +varReference: +- path: metadata/annotations diff --git a/trustyai-service-operator/crd/patches/cainjection_in_trustyaiservices.yaml b/trustyai-service-operator/crd/patches/cainjection_in_trustyaiservices.yaml new file mode 100644 index 000000000..7a3ba2154 --- /dev/null +++ b/trustyai-service-operator/crd/patches/cainjection_in_trustyaiservices.yaml @@ -0,0 +1,7 @@ +# The following patch adds a directive for certmanager to inject CA into the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) + name: trustyaiservices.trustyai.opendatahub.io.trustyai.opendatahub.io diff --git a/trustyai-service-operator/crd/patches/webhook_in_trustyaiservices.yaml b/trustyai-service-operator/crd/patches/webhook_in_trustyaiservices.yaml new file mode 100644 index 000000000..efdbf0f39 --- /dev/null +++ b/trustyai-service-operator/crd/patches/webhook_in_trustyaiservices.yaml @@ -0,0 +1,16 @@ +# The following patch enables a conversion webhook for the CRD +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: trustyaiservices.trustyai.opendatahub.io.trustyai.opendatahub.io +spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + service: + namespace: system + name: webhook-service + path: /convert + conversionReviewVersions: + - v1 diff --git a/trustyai-service-operator/manager/kustomization.yaml b/trustyai-service-operator/manager/kustomization.yaml new file mode 100644 index 000000000..66fa9d6dc --- /dev/null +++ b/trustyai-service-operator/manager/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- manager.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: quay.io/trustyai/trustyai-service-operator + newTag: latest diff --git a/trustyai-service-operator/manager/manager.yaml b/trustyai-service-operator/manager/manager.yaml new file mode 100644 index 000000000..1296ff89a --- /dev/null +++ b/trustyai-service-operator/manager/manager.yaml @@ -0,0 +1,100 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: system + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager + app.kubernetes.io/name: deployment + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + spec: + # TODO(user): Uncomment the following code to configure the nodeAffinity expression + # according to the platforms which are supported by your solution. + # It is considered best practice to support multiple architectures. You can + # build your manager image using the makefile target docker-buildx. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # - arm64 + # - ppc64le + # - s390x + # - key: kubernetes.io/os + # operator: In + # values: + # - linux + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - command: + - /manager + args: + - --leader-elect + image: controller:latest + name: manager + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + seccompProfile: + type: RuntimeDefault + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + # TODO(user): Configure the resources accordingly based on the project requirements. + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + serviceAccountName: controller-manager + terminationGracePeriodSeconds: 10 diff --git a/trustyai-service-operator/manifests/kustomization.yaml b/trustyai-service-operator/manifests/kustomization.yaml new file mode 100644 index 000000000..9ef1f8a25 --- /dev/null +++ b/trustyai-service-operator/manifests/kustomization.yaml @@ -0,0 +1,27 @@ +# These resources constitute the fully configured set of manifests +# used to generate the 'manifests/' directory in a bundle. +resources: +- bases/trustyai-service-operator.clusterserviceversion.yaml +- ../default +- ../samples +- ../scorecard + +# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. +# Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager. +# These patches remove the unnecessary "cert" volume and its manager container volumeMount. +#patchesJson6902: +#- target: +# group: apps +# version: v1 +# kind: Deployment +# name: controller-manager +# namespace: system +# patch: |- +# # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. +# # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. +# - op: remove +# path: /spec/template/spec/containers/1/volumeMounts/0 +# # Remove the "cert" volume, since OLM will create and mount a set of certs. +# # Update the indices in this path if adding or removing volumes in the manager's Deployment. +# - op: remove +# path: /spec/template/spec/volumes/0 diff --git a/trustyai-service-operator/prometheus/kustomization.yaml b/trustyai-service-operator/prometheus/kustomization.yaml new file mode 100644 index 000000000..ed137168a --- /dev/null +++ b/trustyai-service-operator/prometheus/kustomization.yaml @@ -0,0 +1,2 @@ +resources: +- monitor.yaml diff --git a/trustyai-service-operator/prometheus/monitor.yaml b/trustyai-service-operator/prometheus/monitor.yaml new file mode 100644 index 000000000..f80c3b2d1 --- /dev/null +++ b/trustyai-service-operator/prometheus/monitor.yaml @@ -0,0 +1,26 @@ + +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: servicemonitor + app.kubernetes.io/instance: controller-manager-metrics-monitor + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-monitor + namespace: system +spec: + endpoints: + - path: /metrics + port: https + scheme: https + bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + tlsConfig: + insecureSkipVerify: true + selector: + matchLabels: + control-plane: controller-manager diff --git a/trustyai-service-operator/rbac/auth_proxy_client_clusterrole.yaml b/trustyai-service-operator/rbac/auth_proxy_client_clusterrole.yaml new file mode 100644 index 000000000..e0a7df642 --- /dev/null +++ b/trustyai-service-operator/rbac/auth_proxy_client_clusterrole.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: metrics-reader + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get diff --git a/trustyai-service-operator/rbac/auth_proxy_role.yaml b/trustyai-service-operator/rbac/auth_proxy_role.yaml new file mode 100644 index 000000000..51b0ff9ae --- /dev/null +++ b/trustyai-service-operator/rbac/auth_proxy_role.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: proxy-role + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create diff --git a/trustyai-service-operator/rbac/auth_proxy_role_binding.yaml b/trustyai-service-operator/rbac/auth_proxy_role_binding.yaml new file mode 100644 index 000000000..095756e6c --- /dev/null +++ b/trustyai-service-operator/rbac/auth_proxy_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: proxy-rolebinding + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: proxy-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/trustyai-service-operator/rbac/auth_proxy_service.yaml b/trustyai-service-operator/rbac/auth_proxy_service.yaml new file mode 100644 index 000000000..2250889d2 --- /dev/null +++ b/trustyai-service-operator/rbac/auth_proxy_service.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: service + app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/component: kube-rbac-proxy + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: controller-manager-metrics-service + namespace: system +spec: + ports: + - name: https + port: 8443 + protocol: TCP + targetPort: https + selector: + control-plane: controller-manager diff --git a/trustyai-service-operator/rbac/kustomization.yaml b/trustyai-service-operator/rbac/kustomization.yaml new file mode 100644 index 000000000..731832a6a --- /dev/null +++ b/trustyai-service-operator/rbac/kustomization.yaml @@ -0,0 +1,18 @@ +resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml +- role.yaml +- role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml +# Comment the following 4 lines if you want to disable +# the auth proxy (https://github.com/brancz/kube-rbac-proxy) +# which protects your /metrics endpoint. +- auth_proxy_service.yaml +- auth_proxy_role.yaml +- auth_proxy_role_binding.yaml +- auth_proxy_client_clusterrole.yaml diff --git a/trustyai-service-operator/rbac/leader_election_role.yaml b/trustyai-service-operator/rbac/leader_election_role.yaml new file mode 100644 index 000000000..0cba84c42 --- /dev/null +++ b/trustyai-service-operator/rbac/leader_election_role.yaml @@ -0,0 +1,44 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: role + app.kubernetes.io/instance: leader-election-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch diff --git a/trustyai-service-operator/rbac/leader_election_role_binding.yaml b/trustyai-service-operator/rbac/leader_election_role_binding.yaml new file mode 100644 index 000000000..4736aefb4 --- /dev/null +++ b/trustyai-service-operator/rbac/leader_election_role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: leader-election-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/trustyai-service-operator/rbac/role.yaml b/trustyai-service-operator/rbac/role.yaml new file mode 100644 index 000000000..c5008fdb6 --- /dev/null +++ b/trustyai-service-operator/rbac/role.yaml @@ -0,0 +1,155 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: manager-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments/finalizers + verbs: + - update +- apiGroups: + - apps + resources: + - deployments/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - list + - watch +- apiGroups: + - route.openshift.io + resources: + - routes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - serving.kserve.io + resources: + - servingruntimes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - serving.kserve.io + resources: + - servingruntimes/status + verbs: + - get + - patch + - update +- apiGroups: + - trustyai.opendatahub.io.trustyai.opendatahub.io + resources: + - trustyaiservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - trustyai.opendatahub.io.trustyai.opendatahub.io + resources: + - trustyaiservices/finalizers + verbs: + - update +- apiGroups: + - trustyai.opendatahub.io.trustyai.opendatahub.io + resources: + - trustyaiservices/status + verbs: + - get + - patch + - update diff --git a/trustyai-service-operator/rbac/role_binding.yaml b/trustyai-service-operator/rbac/role_binding.yaml new file mode 100644 index 000000000..2fefba7cb --- /dev/null +++ b/trustyai-service-operator/rbac/role_binding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: clusterrolebinding + app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role +subjects: +- kind: ServiceAccount + name: controller-manager + namespace: system diff --git a/trustyai-service-operator/rbac/service_account.yaml b/trustyai-service-operator/rbac/service_account.yaml new file mode 100644 index 000000000..9f6647d6a --- /dev/null +++ b/trustyai-service-operator/rbac/service_account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: system diff --git a/trustyai-service-operator/rbac/trustyaiservice_editor_role.yaml b/trustyai-service-operator/rbac/trustyaiservice_editor_role.yaml new file mode 100644 index 000000000..a34ef412e --- /dev/null +++ b/trustyai-service-operator/rbac/trustyaiservice_editor_role.yaml @@ -0,0 +1,31 @@ +# permissions for end users to edit trustyaiservices. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: trustyaiservice-editor-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: trustyaiservice-editor-role +rules: +- apiGroups: + - trustyai.opendatahub.io.trustyai.opendatahub.io + resources: + - trustyaiservices + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - trustyai.opendatahub.io.trustyai.opendatahub.io + resources: + - trustyaiservices/status + verbs: + - get diff --git a/trustyai-service-operator/rbac/trustyaiservice_viewer_role.yaml b/trustyai-service-operator/rbac/trustyaiservice_viewer_role.yaml new file mode 100644 index 000000000..2bbe62f67 --- /dev/null +++ b/trustyai-service-operator/rbac/trustyaiservice_viewer_role.yaml @@ -0,0 +1,27 @@ +# permissions for end users to view trustyaiservices. +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: clusterrole + app.kubernetes.io/instance: trustyaiservice-viewer-role + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: trustyai-service-operator + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + name: trustyaiservice-viewer-role +rules: +- apiGroups: + - trustyai.opendatahub.io.trustyai.opendatahub.io + resources: + - trustyaiservices + verbs: + - get + - list + - watch +- apiGroups: + - trustyai.opendatahub.io.trustyai.opendatahub.io + resources: + - trustyaiservices/status + verbs: + - get diff --git a/trustyai-service-operator/samples/kustomization.yaml b/trustyai-service-operator/samples/kustomization.yaml new file mode 100644 index 000000000..1c3b614d3 --- /dev/null +++ b/trustyai-service-operator/samples/kustomization.yaml @@ -0,0 +1,4 @@ +## Append samples you want in your CSV to this file as resources ## +resources: +- trustyai.opendatahub.io_v1alpha1_trustyaiservice.yaml +#+kubebuilder:scaffold:manifestskustomizesamples diff --git a/trustyai-service-operator/samples/trustyai.opendatahub.io_v1alpha1_trustyaiservice.yaml b/trustyai-service-operator/samples/trustyai.opendatahub.io_v1alpha1_trustyaiservice.yaml new file mode 100644 index 000000000..7e01c4aa1 --- /dev/null +++ b/trustyai-service-operator/samples/trustyai.opendatahub.io_v1alpha1_trustyaiservice.yaml @@ -0,0 +1,12 @@ +apiVersion: trustyai.opendatahub.io.trustyai.opendatahub.io/v1alpha1 +kind: TrustyAIService +metadata: + labels: + app.kubernetes.io/name: trustyaiservice + app.kubernetes.io/instance: trustyaiservice-sample + app.kubernetes.io/part-of: trustyai-service-operator + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: trustyai-service-operator + name: trustyaiservice-sample +spec: + # TODO(user): Add fields here diff --git a/trustyai-service-operator/scorecard/bases/config.yaml b/trustyai-service-operator/scorecard/bases/config.yaml new file mode 100644 index 000000000..c77047841 --- /dev/null +++ b/trustyai-service-operator/scorecard/bases/config.yaml @@ -0,0 +1,7 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: [] diff --git a/trustyai-service-operator/scorecard/kustomization.yaml b/trustyai-service-operator/scorecard/kustomization.yaml new file mode 100644 index 000000000..50cd2d084 --- /dev/null +++ b/trustyai-service-operator/scorecard/kustomization.yaml @@ -0,0 +1,16 @@ +resources: +- bases/config.yaml +patchesJson6902: +- path: patches/basic.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +- path: patches/olm.config.yaml + target: + group: scorecard.operatorframework.io + version: v1alpha3 + kind: Configuration + name: config +#+kubebuilder:scaffold:patchesJson6902 diff --git a/trustyai-service-operator/scorecard/patches/basic.config.yaml b/trustyai-service-operator/scorecard/patches/basic.config.yaml new file mode 100644 index 000000000..c8455f1b8 --- /dev/null +++ b/trustyai-service-operator/scorecard/patches/basic.config.yaml @@ -0,0 +1,10 @@ +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: basic + test: basic-check-spec-test diff --git a/trustyai-service-operator/scorecard/patches/olm.config.yaml b/trustyai-service-operator/scorecard/patches/olm.config.yaml new file mode 100644 index 000000000..8680989e7 --- /dev/null +++ b/trustyai-service-operator/scorecard/patches/olm.config.yaml @@ -0,0 +1,50 @@ +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-bundle-validation-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-crds-have-validation-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-crds-have-resources + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-crds-have-resources-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-spec-descriptors-test +- op: add + path: /stages/0/tests/- + value: + entrypoint: + - scorecard-test + - olm-status-descriptors + image: quay.io/operator-framework/scorecard-test:v1.28.1 + labels: + suite: olm + test: olm-status-descriptors-test diff --git a/trustyai-service/README.md b/trustyai-service/README.md deleted file mode 100644 index 07a7883ed..000000000 --- a/trustyai-service/README.md +++ /dev/null @@ -1,38 +0,0 @@ -# TrustyAI Service - -TrustyAI is a service to provide fairness metrics to ModelMesh served models. - - -### Installation process - -Following are the steps to install Model Mesh as a part of OpenDataHub install: - -1. Install the OpenDataHub operator -2. Create a KfDef that includes the model-mesh component with the odh-model-controller overlay. -3. Set the `payloadProcessor` value within `model-serving-config-defaults` ConfigMap -to `http://trustyai-service/consumer/kserve/v2` -4. Create a TrustyAI KfDef: -``` -apiVersion: kfdef.apps.kubeflow.org/v1 -kind: KfDef -metadata: - name: odh-trustyai -spec: - applications: - - kustomizeConfig: - repoRef: - name: manifests - path: odh-common - name: odh-common - - kustomizeConfig: - repoRef: - name: manifests - path: trustyai-service - name: trustyai - repos: - - name: manifests - uri: https://api.github.com/repos/opendatahub-io/odh-manifests/tarball/master - version: master - -``` - diff --git a/trustyai-service/base/kustomization.yaml b/trustyai-service/base/kustomization.yaml deleted file mode 100644 index 5b58d3060..000000000 --- a/trustyai-service/base/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -commonLabels: - app: trustyai - app.kubernetes.io/part-of: trustyai -resources: -- ../default -- ../servicemonitors -- trustyai-configmap.yaml -- route.yaml -- pvc.yaml \ No newline at end of file diff --git a/trustyai-service/base/pvc.yaml b/trustyai-service/base/pvc.yaml deleted file mode 100644 index 86a8c864f..000000000 --- a/trustyai-service/base/pvc.yaml +++ /dev/null @@ -1,11 +0,0 @@ -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: trustyai-service-pvc -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - volumeMode: Filesystem \ No newline at end of file diff --git a/trustyai-service/base/route.yaml b/trustyai-service/base/route.yaml deleted file mode 100644 index 7d31ca4a1..000000000 --- a/trustyai-service/base/route.yaml +++ /dev/null @@ -1,17 +0,0 @@ -kind: Route -apiVersion: route.openshift.io/v1 -metadata: - name: trustyai - labels: - app: trustyai - app.kubernetes.io/name: trustyai-service - app.kubernetes.io/part-of: trustyai - app.kubernetes.io/version: 0.1.0 - app.openshift.io/runtime: quarkus -spec: - to: - kind: Service - name: trustyai-service - port: - targetPort: http - tls: null diff --git a/trustyai-service/base/trustyai-configmap.yaml b/trustyai-service/base/trustyai-configmap.yaml deleted file mode 100644 index d41e3b955..000000000 --- a/trustyai-service/base/trustyai-configmap.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: trustyai-config -data: - service_storage_format: "PVC" - service_data_format: "CSV" - service_metrics_schedule: "5s" - service_batch_size: "5000" - storage_data_filename: "data.csv" - storage_data_folder: "/inputs" - diff --git a/trustyai-service/default/kustomization.yaml b/trustyai-service/default/kustomization.yaml deleted file mode 100644 index a62a0fe66..000000000 --- a/trustyai-service/default/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - trustyai-deployment.yaml \ No newline at end of file diff --git a/trustyai-service/default/trustyai-deployment.yaml b/trustyai-service/default/trustyai-deployment.yaml deleted file mode 100644 index 259bb79fd..000000000 --- a/trustyai-service/default/trustyai-deployment.yaml +++ /dev/null @@ -1,193 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - app.openshift.io/vcs-url: <> - app.quarkus.io/commit-id: 0acbb40970b5c0dd7e5a50966d6b3d68e137be10 - app.quarkus.io/build-timestamp: 2023-02-24 - 13:56:14 +0000 - prometheus.io/scrape: "true" - prometheus.io/path: /q/metrics - prometheus.io/port: "8080" - prometheus.io/scheme: http - service.alpha.openshift.io/serving-cert-secret-name: trustyai-service-proxy-tls - labels: - app.kubernetes.io/name: trustyai-service - app.kubernetes.io/version: 0.1.0 - app.openshift.io/runtime: quarkus - name: trustyai-service -spec: - ports: - - name: http - port: 80 - targetPort: 8080 - selector: - app.kubernetes.io/name: trustyai-service - app.kubernetes.io/version: 0.1.0 - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - annotations: - app.openshift.io/vcs-url: <> - app.quarkus.io/commit-id: ea73183a2c1b81bd9afe31005644d374b5bdeb34 - app.quarkus.io/build-timestamp: 2023-02-15 - 15:41:47 +0000 - prometheus.io/scrape: "true" - prometheus.io/path: /q/metrics - prometheus.io/port: "8080" - prometheus.io/scheme: http - labels: - app.openshift.io/runtime: quarkus - app.kubernetes.io/version: 0.1.0 - app.kubernetes.io/name: trustyai-service - app.kubernetes.io/version: 0.1.0 - app.openshift.io/runtime: quarkus - name: trustyai-service -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/version: 0.1.0 - app.kubernetes.io/name: trustyai-service - template: - metadata: - annotations: - app.openshift.io/vcs-url: <> - app.quarkus.io/commit-id: ea73183a2c1b81bd9afe31005644d374b5bdeb34 - app.quarkus.io/build-timestamp: 2023-02-15 - 15:41:47 +0000 - prometheus.io/scrape: "true" - prometheus.io/path: /q/metrics - prometheus.io/port: "8080" - prometheus.io/scheme: http - labels: - app.openshift.io/runtime: quarkus - app.kubernetes.io/version: 0.1.0 - app.kubernetes.io/name: trustyai-service - spec: - initContainers: - - name: config-map-overrider - image: registry.redhat.io/openshift4/ose-cli@sha256:25fef269ac6e7491cb8340119a9b473acbeb53bc6970ad029fdaae59c3d0ca61 - command: [ "/bin/bash", "-c", "--" ] - args: - - | - # ugly hack: write a configmap that knows its own namespace - echo "apiVersion: v1" > /tmp/model-serving-config.yaml - echo "kind: ConfigMap" >> /tmp/model-serving-config.yaml - echo "metadata:" >> /tmp/model-serving-config.yaml - echo " name: model-serving-config" >> /tmp/model-serving-config.yaml - echo "data:" >> /tmp/model-serving-config.yaml - echo " config.yaml: |" >> /tmp/model-serving-config.yaml - - current_namespace=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) - - echo " payloadProcessors: "http://trustyai-service.$current_namespace/consumer/kserve/v2"" >> /tmp/model-serving-config.yaml - cat /tmp/model-serving-config.yaml - oc apply -f /tmp/model-serving-config.yaml - exit 0 - containers: - - env: - - name: STORAGE_DATA_FILENAME - valueFrom: - configMapKeyRef: - key: storage_data_filename - name: trustyai-config - - name: SERVICE_STORAGE_FORMAT - valueFrom: - configMapKeyRef: - key: service_storage_format - name: trustyai-config - - name: STORAGE_DATA_FOLDER - valueFrom: - configMapKeyRef: - key: storage_data_folder - name: trustyai-config - - name: SERVICE_BATCH_SIZE - valueFrom: - configMapKeyRef: - key: service_batch_size - name: trustyai-config - - name: SERVICE_DATA_FORMAT - valueFrom: - configMapKeyRef: - key: service_data_format - name: trustyai-config - - name: SERVICE_METRICS_SCHEDULE - valueFrom: - configMapKeyRef: - key: service_metrics_schedule - name: trustyai-config - image: quay.io/trustyai/trustyai-service:0.1.0 - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - httpGet: - path: /q/health/live - port: 8080 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 10 - name: trustyai-service - ports: - - containerPort: 8080 - name: http - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /q/health/ready - port: 8080 - scheme: HTTP - initialDelaySeconds: 0 - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 10 - volumeMounts: - - mountPath: /inputs - name: volume - readOnly: false - serviceAccountName: trustyai-serviceaccount - - volumes: - - name: volume - persistentVolumeClaim: - claimName: trustyai-service-pvc - readOnly: false - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: trustyai-serviceaccount ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: trustyai-role -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - delete - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: trustyai-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: trustyai-role -subjects: - - kind: ServiceAccount - name: trustyai-serviceaccount \ No newline at end of file diff --git a/trustyai-service/servicemonitors/kustomization.yaml b/trustyai-service/servicemonitors/kustomization.yaml deleted file mode 100644 index 6957f7b71..000000000 --- a/trustyai-service/servicemonitors/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - trustyai-metrics.yaml diff --git a/trustyai-service/servicemonitors/trustyai-metrics.yaml b/trustyai-service/servicemonitors/trustyai-metrics.yaml deleted file mode 100644 index 6591502eb..000000000 --- a/trustyai-service/servicemonitors/trustyai-metrics.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: trustyai-metrics - labels: - modelmesh-service: modelmesh-serving -spec: - endpoints: - - interval: 30s - path: /q/metrics - honorLabels: true - honorTimestamps: true - scrapeTimeout: 10s - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token - bearerTokenSecret: - key: "" - targetPort: 8080 - scheme: http - params: - 'match[]': - - '{__name__= "trustyai_spd"}' - - '{__name__= "trustyai_dir"}' - metricRelabelings: - - action: keep - regex: trustyai_.* - sourceLabels: - - __name__ - selector: - matchLabels: - app.kubernetes.io/name: trustyai-service \ No newline at end of file From dc4269727d3020c7daa3a3256e3ea383e21882c3 Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Fri, 7 Jul 2023 10:16:36 +0100 Subject: [PATCH 2/3] remove comments, fix links, set image tag to fixed --- tests/resources/trustyai/trustyai_crd.yaml | 4 ---- trustyai-service-operator/README.md | 4 ++-- trustyai-service-operator/manager/kustomization.yaml | 2 +- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/tests/resources/trustyai/trustyai_crd.yaml b/tests/resources/trustyai/trustyai_crd.yaml index b404fcfbe..140af8d47 100644 --- a/tests/resources/trustyai/trustyai_crd.yaml +++ b/tests/resources/trustyai/trustyai_crd.yaml @@ -3,10 +3,6 @@ kind: TrustyAIService metadata: name: trustyai-service spec: - # Optional values for replicas, image and tag. Below are the default values. - # replicas: 1 - # image: quay.io/trustyaiservice/trustyai-service - # tag: latest storage: format: "PVC" folder: "/inputs" diff --git a/trustyai-service-operator/README.md b/trustyai-service-operator/README.md index 6bc47e267..0c336204c 100644 --- a/trustyai-service-operator/README.md +++ b/trustyai-service-operator/README.md @@ -134,8 +134,8 @@ If you want to use a different image or tag in the future, you'll need to update ## Contributing -Please see the [CONTRIBUTING.md](./CONTRIBUTING.md) file for more details on how to contribute to this project. +Please see the [CONTRIBUTING.md](https://github.com/trustyai-explainability/trustyai-explainability/blob/main/CONTRIBUTING.md) file for more details on how to contribute to this project. ## License -This project is licensed under the Apache License Version 2.0 - see the [LICENSE](./LICENSE) file for details. \ No newline at end of file +This project is licensed under the Apache License Version 2.0 - see the [LICENSE](https://github.com/trustyai-explainability/trustyai-explainability/blob/main/LICENSE) file for details. \ No newline at end of file diff --git a/trustyai-service-operator/manager/kustomization.yaml b/trustyai-service-operator/manager/kustomization.yaml index 66fa9d6dc..474f5bd16 100644 --- a/trustyai-service-operator/manager/kustomization.yaml +++ b/trustyai-service-operator/manager/kustomization.yaml @@ -5,4 +5,4 @@ kind: Kustomization images: - name: controller newName: quay.io/trustyai/trustyai-service-operator - newTag: latest + newTag: 1.7.0 From a6746e5772c5cae662f48bdacb0aa3fbad076ba5 Mon Sep 17 00:00:00 2001 From: Rob Geada Date: Tue, 18 Jul 2023 13:27:37 +0100 Subject: [PATCH 3/3] Sync manifests after upstream cleanup --- .../base/kustomization.yaml | 62 +------------------ .../base/manager_auth_proxy_patch.yaml | 2 - .../crd/kustomization.yaml | 11 ---- .../crd/kustomizeconfig.yaml | 1 - .../cainjection_in_trustyaiservices.yaml | 1 - .../patches/webhook_in_trustyaiservices.yaml | 1 - .../manager/kustomization.yaml | 9 ++- .../manager/manager.yaml | 35 ----------- .../manifests/kustomization.yaml | 24 +------ .../prometheus/monitor.yaml | 2 - .../rbac/kustomization.yaml | 8 --- .../rbac/leader_election_role.yaml | 1 - .../rbac/trustyaiservice_editor_role.yaml | 1 - .../samples/kustomization.yaml | 4 -- ...endatahub.io_v1alpha1_trustyaiservice.yaml | 12 ---- 15 files changed, 10 insertions(+), 164 deletions(-) delete mode 100644 trustyai-service-operator/samples/kustomization.yaml delete mode 100644 trustyai-service-operator/samples/trustyai.opendatahub.io_v1alpha1_trustyaiservice.yaml diff --git a/trustyai-service-operator/base/kustomization.yaml b/trustyai-service-operator/base/kustomization.yaml index 298fb5f38..64ae8211b 100644 --- a/trustyai-service-operator/base/kustomization.yaml +++ b/trustyai-service-operator/base/kustomization.yaml @@ -1,73 +1,13 @@ -# Adds namespace to all resources. -namespace: trustyai-service-operator-system +#namespace: trustyai-service-operator-system -# Value of this field is prepended to the -# names of all resources, e.g. a deployment named -# "wordpress" becomes "alices-wordpress". -# Note that it should also match with the prefix (text before '-') of the namespace -# field above. namePrefix: trustyai-service-operator- -# Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue - resources: - ../crd - ../rbac - ../manager -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- ../webhook -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. -#- ../certmanager -# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. -#- ../prometheus - patchesStrategicMerge: -# Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics -# endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml - - -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in -# crd/kustomization.yaml -#- manager_webhook_patch.yaml - -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. -# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. -# 'CERTMANAGER' needs to be enabled to use ca injection -#- webhookcainjection_patch.yaml - -# the following config is for teaching kustomize how to do var substitution vars: -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR -# objref: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldref: -# fieldpath: metadata.namespace -#- name: CERTIFICATE_NAME -# objref: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -#- name: SERVICE_NAMESPACE # namespace of the service -# objref: -# kind: Service -# version: v1 -# name: webhook-service -# fieldref: -# fieldpath: metadata.namespace -#- name: SERVICE_NAME -# objref: -# kind: Service -# version: v1 -# name: webhook-service diff --git a/trustyai-service-operator/base/manager_auth_proxy_patch.yaml b/trustyai-service-operator/base/manager_auth_proxy_patch.yaml index b75126616..a91fe3c28 100644 --- a/trustyai-service-operator/base/manager_auth_proxy_patch.yaml +++ b/trustyai-service-operator/base/manager_auth_proxy_patch.yaml @@ -1,5 +1,3 @@ -# This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. apiVersion: apps/v1 kind: Deployment metadata: diff --git a/trustyai-service-operator/crd/kustomization.yaml b/trustyai-service-operator/crd/kustomization.yaml index a0c404aa8..727bbeb48 100644 --- a/trustyai-service-operator/crd/kustomization.yaml +++ b/trustyai-service-operator/crd/kustomization.yaml @@ -1,21 +1,10 @@ -# This kustomization.yaml is not intended to be run by itself, -# since it depends on service name and namespace that are out of this kustomize package. -# It should be run by config/default resources: - bases/trustyai.opendatahub.io.trustyai.opendatahub.io_trustyaiservices.yaml #+kubebuilder:scaffold:crdkustomizeresource patchesStrategicMerge: -# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix. -# patches here are for enabling the conversion webhook for each CRD -#- patches/webhook_in_trustyaiservices.yaml #+kubebuilder:scaffold:crdkustomizewebhookpatch - -# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. -# patches here are for enabling the CA injection for each CRD -#- patches/cainjection_in_trustyaiservices.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch -# the following config is for teaching kustomize how to do kustomization for CRDs. configurations: - kustomizeconfig.yaml diff --git a/trustyai-service-operator/crd/kustomizeconfig.yaml b/trustyai-service-operator/crd/kustomizeconfig.yaml index ec5c150a9..e0dd2980c 100644 --- a/trustyai-service-operator/crd/kustomizeconfig.yaml +++ b/trustyai-service-operator/crd/kustomizeconfig.yaml @@ -1,4 +1,3 @@ -# This file is for teaching kustomize how to substitute name and namespace reference in CRD nameReference: - kind: Service version: v1 diff --git a/trustyai-service-operator/crd/patches/cainjection_in_trustyaiservices.yaml b/trustyai-service-operator/crd/patches/cainjection_in_trustyaiservices.yaml index 7a3ba2154..95a5d30c9 100644 --- a/trustyai-service-operator/crd/patches/cainjection_in_trustyaiservices.yaml +++ b/trustyai-service-operator/crd/patches/cainjection_in_trustyaiservices.yaml @@ -1,4 +1,3 @@ -# The following patch adds a directive for certmanager to inject CA into the CRD apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: diff --git a/trustyai-service-operator/crd/patches/webhook_in_trustyaiservices.yaml b/trustyai-service-operator/crd/patches/webhook_in_trustyaiservices.yaml index efdbf0f39..3b364e688 100644 --- a/trustyai-service-operator/crd/patches/webhook_in_trustyaiservices.yaml +++ b/trustyai-service-operator/crd/patches/webhook_in_trustyaiservices.yaml @@ -1,4 +1,3 @@ -# The following patch enables a conversion webhook for the CRD apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: diff --git a/trustyai-service-operator/manager/kustomization.yaml b/trustyai-service-operator/manager/kustomization.yaml index 474f5bd16..5995d240e 100644 --- a/trustyai-service-operator/manager/kustomization.yaml +++ b/trustyai-service-operator/manager/kustomization.yaml @@ -5,4 +5,11 @@ kind: Kustomization images: - name: controller newName: quay.io/trustyai/trustyai-service-operator - newTag: 1.7.0 + newTag: v1.8.0 +configMapGenerator: + - name: config + literals: + - trustyaiServiceImageName=quay.io/trustyai/trustyai-service + - trustyaiServiceImageTag=v0.2.0 +generatorOptions: + disableNameSuffixHash: true \ No newline at end of file diff --git a/trustyai-service-operator/manager/manager.yaml b/trustyai-service-operator/manager/manager.yaml index 1296ff89a..022f5d593 100644 --- a/trustyai-service-operator/manager/manager.yaml +++ b/trustyai-service-operator/manager/manager.yaml @@ -1,16 +1,3 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: namespace - app.kubernetes.io/instance: system - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: trustyai-service-operator - app.kubernetes.io/part-of: trustyai-service-operator - app.kubernetes.io/managed-by: kustomize - name: system ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -36,26 +23,6 @@ spec: labels: control-plane: controller-manager spec: - # TODO(user): Uncomment the following code to configure the nodeAffinity expression - # according to the platforms which are supported by your solution. - # It is considered best practice to support multiple architectures. You can - # build your manager image using the makefile target docker-buildx. - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: kubernetes.io/arch - # operator: In - # values: - # - amd64 - # - arm64 - # - ppc64le - # - s390x - # - key: kubernetes.io/os - # operator: In - # values: - # - linux securityContext: runAsNonRoot: true seccompProfile: @@ -87,8 +54,6 @@ spec: port: 8081 initialDelaySeconds: 5 periodSeconds: 10 - # TODO(user): Configure the resources accordingly based on the project requirements. - # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: limits: cpu: 500m diff --git a/trustyai-service-operator/manifests/kustomization.yaml b/trustyai-service-operator/manifests/kustomization.yaml index 9ef1f8a25..e2870a367 100644 --- a/trustyai-service-operator/manifests/kustomization.yaml +++ b/trustyai-service-operator/manifests/kustomization.yaml @@ -1,27 +1,5 @@ -# These resources constitute the fully configured set of manifests -# used to generate the 'manifests/' directory in a bundle. resources: - bases/trustyai-service-operator.clusterserviceversion.yaml - ../default - ../samples -- ../scorecard - -# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix. -# Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager. -# These patches remove the unnecessary "cert" volume and its manager container volumeMount. -#patchesJson6902: -#- target: -# group: apps -# version: v1 -# kind: Deployment -# name: controller-manager -# namespace: system -# patch: |- -# # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs. -# # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment. -# - op: remove -# path: /spec/template/spec/containers/1/volumeMounts/0 -# # Remove the "cert" volume, since OLM will create and mount a set of certs. -# # Update the indices in this path if adding or removing volumes in the manager's Deployment. -# - op: remove -# path: /spec/template/spec/volumes/0 +- ../scorecard \ No newline at end of file diff --git a/trustyai-service-operator/prometheus/monitor.yaml b/trustyai-service-operator/prometheus/monitor.yaml index f80c3b2d1..fa23e2710 100644 --- a/trustyai-service-operator/prometheus/monitor.yaml +++ b/trustyai-service-operator/prometheus/monitor.yaml @@ -1,5 +1,3 @@ - -# Prometheus Monitor Service (Metrics) apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/trustyai-service-operator/rbac/kustomization.yaml b/trustyai-service-operator/rbac/kustomization.yaml index 731832a6a..ca04e399c 100644 --- a/trustyai-service-operator/rbac/kustomization.yaml +++ b/trustyai-service-operator/rbac/kustomization.yaml @@ -1,17 +1,9 @@ resources: -# All RBAC will be applied under this service account in -# the deployment namespace. You may comment out this resource -# if your manager will use a service account that exists at -# runtime. Be sure to update RoleBinding and ClusterRoleBinding -# subjects if changing service account names. - service_account.yaml - role.yaml - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. - auth_proxy_service.yaml - auth_proxy_role.yaml - auth_proxy_role_binding.yaml diff --git a/trustyai-service-operator/rbac/leader_election_role.yaml b/trustyai-service-operator/rbac/leader_election_role.yaml index 0cba84c42..bde71fd2a 100644 --- a/trustyai-service-operator/rbac/leader_election_role.yaml +++ b/trustyai-service-operator/rbac/leader_election_role.yaml @@ -1,4 +1,3 @@ -# permissions to do leader election. apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/trustyai-service-operator/rbac/trustyaiservice_editor_role.yaml b/trustyai-service-operator/rbac/trustyaiservice_editor_role.yaml index a34ef412e..71ac69687 100644 --- a/trustyai-service-operator/rbac/trustyaiservice_editor_role.yaml +++ b/trustyai-service-operator/rbac/trustyaiservice_editor_role.yaml @@ -1,4 +1,3 @@ -# permissions for end users to edit trustyaiservices. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/trustyai-service-operator/samples/kustomization.yaml b/trustyai-service-operator/samples/kustomization.yaml deleted file mode 100644 index 1c3b614d3..000000000 --- a/trustyai-service-operator/samples/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -## Append samples you want in your CSV to this file as resources ## -resources: -- trustyai.opendatahub.io_v1alpha1_trustyaiservice.yaml -#+kubebuilder:scaffold:manifestskustomizesamples diff --git a/trustyai-service-operator/samples/trustyai.opendatahub.io_v1alpha1_trustyaiservice.yaml b/trustyai-service-operator/samples/trustyai.opendatahub.io_v1alpha1_trustyaiservice.yaml deleted file mode 100644 index 7e01c4aa1..000000000 --- a/trustyai-service-operator/samples/trustyai.opendatahub.io_v1alpha1_trustyaiservice.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: trustyai.opendatahub.io.trustyai.opendatahub.io/v1alpha1 -kind: TrustyAIService -metadata: - labels: - app.kubernetes.io/name: trustyaiservice - app.kubernetes.io/instance: trustyaiservice-sample - app.kubernetes.io/part-of: trustyai-service-operator - app.kubernetes.io/managed-by: kustomize - app.kubernetes.io/created-by: trustyai-service-operator - name: trustyaiservice-sample -spec: - # TODO(user): Add fields here