Merge branch 'main' into release-0.12.0

Signed-off-by: Edgar Hernández <[email protected]>
opendatahub-io · May 10, 2024 · 07c981a · 07c981a
2 parents 2652154 + a3df072
commit 07c981a
Show file tree

Hide file tree

Showing 16 changed files with 294 additions and 130 deletions.
diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml
@@ -0,0 +1,103 @@
+name: Create Tag and Release with Changelog
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        description: 'Tag name for the new release'
+        required: true
+
+permissions:
+  contents: write
+  packages: write
+  pull-requests: write
+
+jobs:
+  fetch-tag:
+    runs-on: ubuntu-latest
+    outputs:
+      old_tag: ${{ steps.get_tag.outputs.old_tag_name }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+
+      - name: Get latest tag
+        id: get_tag
+        run: |
+          echo "old_tag_name=$(git ls-remote --tags origin | awk -F'/' '{print $3}' | grep -v '{}' | sort -V | tail -n1)" >> $GITHUB_OUTPUT
+      - name: print tag
+        id: print_tag
+        run: | 
+          echo "Old Tag=${{ steps.get_tag.outputs.old_tag_name }}"
+          echo "NEW_TAG=${{ github.event.inputs.tag_name }}" >> $GITHUB_ENV
+          echo "$(basename ${{ github.ref }})"
+
+      - name: Check if tag exists
+        id: check_tag
+        run: |
+         import sys
+         import subprocess
+         tag_name = "${{ github.event.inputs.tag_name }}"
+         command = ['git', 'tag', '-l', tag_name]
+         output = subprocess.check_output(command, stderr=subprocess.STDOUT)
+         if output.decode() != "":
+           print(f"Error: Tag '{tag_name}' already exists.", file=sys.stderr)
+           sys.exit(1)
+         else:
+           print(f"Tag '{tag_name}' does not exists.")
+        
+        shell: python
+        continue-on-error: false
+
+#this works only if params.env contains image:tag_version_number
+  update-params-env:
+    runs-on: ubuntu-latest
+    needs: fetch-tag
+    outputs:
+      param_env: ${{ steps.read_params_env.outputs.params_env }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Update params.env with new release version
+        run: |     
+          sed -i 's|:v[0-9.]*.*|:${{ github.event.inputs.tag_name }}|gm' config/base/params.env
+      - name: Commit changes
+        run: |
+          git config --global user.email "[email protected]"
+          git config --global user.name "GitHub Actions"
+          git add config/base/params.env
+          git commit -m "Update image refs for odh release."
+
+      - name: Create Tag
+        id: create_tag
+        run: |
+          git tag -a ${{ github.event.inputs.tag_name }} -m "Prepare for ODH release ${{ github.event.inputs.tag_name }}"
+          git push origin ${{ github.event.inputs.tag_name }}
+
+  changelog:
+    name: Changelog
+    needs: [fetch-tag,update-params-env]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        with:
+          token: ${{ github.token }}
+          tag_name: ${{ github.event.inputs.tag_name }}
+          prerelease: false
+          draft: false
+    #this takes the path of payload to upload as an asset in the changelog
+          files: bin/*
+          generate_release_notes: true
+          name: ${{ github.event.inputs.tag_name }}
diff --git a/Makefile b/Makefile
@@ -34,7 +34,8 @@ help: ## Display this help.
 
 .PHONY: manifests
 manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
-	$(CONTROLLER_GEN) rbac:roleName=odh-model-controller-role,headerFile="hack/manifests_boilerplate.yaml.txt" crd paths="./..." output:crd:artifacts:config=config/crd/bases
+	# Any customization needed, apply to the webhook_patch.yaml file
+	$(CONTROLLER_GEN) rbac:roleName=odh-model-controller-role,headerFile="hack/manifests_boilerplate.yaml.txt" crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
 
 external-manifests: 
 	go get github.com/kserve/modelmesh-serving

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -59,6 +59,18 @@ spec:
                   name: auth-refs
                   key: AUTHORINO_LABEL
                   optional: true
+            - name: CONTROL_PLANE_NAME
+              valueFrom:
+                configMapKeyRef:
+                  name: service-mesh-refs
+                  key: CONTROL_PLANE_NAME
+                  optional: true
+            - name: MESH_NAMESPACE
+              valueFrom:
+                configMapKeyRef:
+                  name: service-mesh-refs
+                  key: MESH_NAMESPACE
+                  optional: true
           livenessProbe:
             httpGet:
               path: /healthz

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -25,9 +25,20 @@ rules:
   - endpoints
   - namespaces
   - pods
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
   - services
   verbs:
   - create
+  - delete
   - get
   - list
   - patch

diff --git a/config/webhook/field_patch.yaml b/config/webhook/field_patch.yaml
@@ -0,0 +1,3 @@
+- op: replace
+  path: /metadata/name
+  value: validating.odh-model-controller.opendatahub.io
diff --git a/config/webhook/kustomization.yaml b/config/webhook/kustomization.yaml
@@ -2,5 +2,21 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  - manifests.yaml
-  - service.yaml
+- manifests.yaml
+- service.yaml
+
+
+patches:
+  - path: webhook_patch.yaml
+    target:
+      group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      name: validating-webhook-configuration
+      version: v1
+  - path: field_patch.yaml
+    target:
+      group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      name: validating-webhook-configuration
+      version: v1
+
diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
@@ -2,15 +2,14 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: ValidatingWebhookConfiguration
 metadata:
-  name: validating.odh-model-controller.opendatahub.io
-  annotations:
-    service.beta.openshift.io/inject-cabundle: true
+  name: validating-webhook-configuration
 webhooks:
 - admissionReviewVersions:
   - v1
   clientConfig:
     service:
-      name: odh-model-controller-webhook-service
+      name: webhook-service
+      namespace: system
       path: /validate-serving-knative-dev-v1-service
   failurePolicy: Fail
   name: validating.ksvc.odh-model-controller.opendatahub.io

diff --git a/config/webhook/webhook_patch.yaml b/config/webhook/webhook_patch.yaml
@@ -0,0 +1,16 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: validating.odh-model-controller.opendatahub.io
+  annotations:
+    service.beta.openshift.io/inject-cabundle: true
+webhooks:
+  - name: validating.ksvc.odh-model-controller.opendatahub.io
+    clientConfig:
+      service:
+        name: odh-model-controller-webhook-service
+    objectSelector:
+      matchExpressions:
+        - key: serving.kserve.io/inferenceservice
+          operator: Exists
+
diff --git a/controllers/constants/constants.go b/controllers/constants/constants.go
@@ -19,6 +19,7 @@ const (
 	InferenceServiceKind = "InferenceService"
 
 	IstioNamespace                   = "istio-system"
+	IstioControlPlaneName            = "data-science-smcp"
 	ServiceMeshMemberRollName        = "default"
 	IstioIngressService              = "istio-ingressgateway"
 	IstioIngressServiceHTTPPortName  = "http2"

diff --git a/controllers/reconcilers/kserve_istio_peerauthentication_reconciler.go b/controllers/reconcilers/kserve_istio_peerauthentication_reconciler.go
@@ -22,10 +22,7 @@ import (
 	"github.com/opendatahub-io/odh-model-controller/controllers/comparators"
 	"github.com/opendatahub-io/odh-model-controller/controllers/processors"
 	"github.com/opendatahub-io/odh-model-controller/controllers/resources"
-	"istio.io/api/security/v1beta1"
-	istiotypes "istio.io/api/type/v1beta1"
 	istiosecv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -51,9 +48,9 @@ func NewKServeIstioPeerAuthenticationReconciler(client client.Client) *KserveIst
 	}
 }
 
+// TODO remove this reconcile loop in future versions
 func (r *KserveIstioPeerAuthenticationReconciler) Reconcile(ctx context.Context, log logr.Logger, isvc *kservev1beta1.InferenceService) error {
-	log.V(1).Info("Reconciling PeerAuthentication for target namespace")
-
+	log.V(1).Info("Reconciling PeerAuthentication for target namespace, checking if there are resources for deletion")
 	// Create Desired resource
 	desiredResource, err := r.createDesiredResource(isvc)
 	if err != nil {
@@ -79,25 +76,7 @@ func (r *KserveIstioPeerAuthenticationReconciler) Cleanup(ctx context.Context, l
 }
 
 func (r *KserveIstioPeerAuthenticationReconciler) createDesiredResource(isvc *kservev1beta1.InferenceService) (*istiosecv1beta1.PeerAuthentication, error) {
-	desiredPeerAuthentication := &istiosecv1beta1.PeerAuthentication{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      peerAuthenticationName,
-			Namespace: isvc.Namespace,
-		},
-		Spec: v1beta1.PeerAuthentication{
-			Selector: &istiotypes.WorkloadSelector{
-				MatchLabels: map[string]string{
-					"component": "predictor",
-				},
-			},
-			Mtls: &v1beta1.PeerAuthentication_MutualTLS{Mode: 3},
-			PortLevelMtls: map[uint32]*v1beta1.PeerAuthentication_MutualTLS{
-				8086: {Mode: 2},
-				3000: {Mode: 2},
-			},
-		},
-	}
-	return desiredPeerAuthentication, nil
+	return nil, nil
 }
 
 func (r *KserveIstioPeerAuthenticationReconciler) getExistingResource(ctx context.Context, log logr.Logger, isvc *kservev1beta1.InferenceService) (*istiosecv1beta1.PeerAuthentication, error) {

diff --git a/controllers/reconcilers/kserve_istio_podmonitor_reconciler.go b/controllers/reconcilers/kserve_istio_podmonitor_reconciler.go
@@ -17,11 +17,13 @@ package reconcilers
 
 import (
 	"context"
+	"fmt"
 	"github.com/go-logr/logr"
 	kservev1beta1 "github.com/kserve/kserve/pkg/apis/serving/v1beta1"
 	"github.com/opendatahub-io/odh-model-controller/controllers/comparators"
 	"github.com/opendatahub-io/odh-model-controller/controllers/processors"
 	"github.com/opendatahub-io/odh-model-controller/controllers/resources"
+	"github.com/opendatahub-io/odh-model-controller/controllers/utils"
 	v1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -53,7 +55,7 @@ func (r *KserveIstioPodMonitorReconciler) Reconcile(ctx context.Context, log log
 	log.V(1).Info("Creating Istio PodMonitor for target namespace")
 
 	// Create Desired resource
-	desiredResource, err := r.createDesiredResource(isvc)
+	desiredResource, err := r.createDesiredResource(ctx, isvc)
 	if err != nil {
 		return err
 	}
@@ -76,7 +78,9 @@ func (r *KserveIstioPodMonitorReconciler) Cleanup(ctx context.Context, log logr.
 	return r.podMonitorHandler.DeletePodMonitor(ctx, types.NamespacedName{Name: istioPodMonitorName, Namespace: isvcNs})
 }
 
-func (r *KserveIstioPodMonitorReconciler) createDesiredResource(isvc *kservev1beta1.InferenceService) (*v1.PodMonitor, error) {
+func (r *KserveIstioPodMonitorReconciler) createDesiredResource(ctx context.Context, isvc *kservev1beta1.InferenceService) (*v1.PodMonitor, error) {
+	istioControlPlaneName, meshNamespace := utils.GetIstioControlPlaneName(ctx, r.client)
+
 	desiredPodMonitor := &v1.PodMonitor{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      istioPodMonitorName,
@@ -86,15 +90,60 @@ func (r *KserveIstioPodMonitorReconciler) createDesiredResource(isvc *kservev1be
 			Selector: metav1.LabelSelector{
 				MatchExpressions: []metav1.LabelSelectorRequirement{
 					{
-						Key:      "istio-prometheus-ignore",
-						Operator: metav1.LabelSelectorOpDoesNotExist,
+						Key:      "component",
+						Operator: metav1.LabelSelectorOpIn,
+						Values:   []string{"predictor", "explainer", "transformer"},
 					},
 				},
 			},
 			PodMetricsEndpoints: []v1.PodMetricsEndpoint{
 				{
 					Path:     "/stats/prometheus",
 					Interval: "30s",
+					RelabelConfigs: []*v1.RelabelConfig{
+						{
+							Action:       "keep",
+							SourceLabels: []v1.LabelName{"__meta_kubernetes_pod_container_name"},
+							Regex:        "istio-proxy",
+						},
+						{
+							Action:       "keep",
+							SourceLabels: []v1.LabelName{"__meta_kubernetes_pod_annotationpresent_prometheus_io_scrape"},
+						},
+						{
+							Action:       "replace",
+							Regex:        "(\\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})",
+							Replacement:  "[$2]:$1",
+							SourceLabels: []v1.LabelName{"__meta_kubernetes_pod_annotation_prometheus_io_port", "__meta_kubernetes_pod_ip"},
+							TargetLabel:  "__address__",
+						},
+						{
+							Action:       "replace",
+							Regex:        "(\\d+);((([0-9]+?)(\\.|$)){4})",
+							Replacement:  "$2:$1",
+							SourceLabels: []v1.LabelName{"__meta_kubernetes_pod_annotation_prometheus_io_port", "__meta_kubernetes_pod_ip"},
+							TargetLabel:  "__address__",
+						},
+						{
+							Action: "labeldrop",
+							Regex:  "__meta_kubernetes_pod_label_(.+)",
+						},
+						{
+							Action:       "replace",
+							SourceLabels: []v1.LabelName{"__meta_kubernetes_namespace"},
+							TargetLabel:  "namespace",
+						},
+						{
+							Action:       "replace",
+							SourceLabels: []v1.LabelName{"__meta_kubernetes_pod_name"},
+							TargetLabel:  "pod_name",
+						},
+						{
+							Action:      "replace",
+							Replacement: fmt.Sprintf("%s-%s", istioControlPlaneName, meshNamespace),
+							TargetLabel: "mesh_id",
+						},
+					},
 				},
 			},
 		},