Merge pull request llm-d-incubation#114 from amito/feature/model-catalog-benchmarks-1

Integrate Model Catalog as external data source

Author: anfredette

Dockerfile

@@ -29,9 +29,12 @@ COPY data ./data
 # Copy scripts (schema init, benchmark loading — used by db-init Job)
 COPY scripts ./scripts
 
-# Create directories for generated files
-RUN mkdir -p /app/generated_configs /app/logs/prompts && \
-    chmod -R 770 /app/generated_configs /app/logs
+# Create non-root user and directories for generated files
+RUN groupadd --gid 1001 appuser && \
+    useradd --uid 1001 --gid 0 --no-create-home appuser && \
+    mkdir -p /app/generated_configs /app/logs/prompts && \
+    chown -R appuser:0 /app && \
+    chmod -R g=u /app/generated_configs /app/logs
 
 # Set environment variables
 ENV PYTHONPATH=/app/src
@@ -41,6 +44,9 @@ ENV PATH="/app/.venv/bin:$PATH"
 
 ARG MODEL_CATALOG_URL
 
+# Switch to non-root user
+USER appuser
+
 # Expose backend API port
 EXPOSE 8000
 

deploy/kubernetes/backend.yaml

@@ -17,11 +17,23 @@ spec:
         app.kubernetes.io/name: backend
         app.kubernetes.io/part-of: neuralnav
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: backend
           image: quay.io/neuralnav/neuralnav-backend:latest
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
           ports:
             - containerPort: 8000
+          envFrom:
+            - configMapRef:
+                name: neuralnav-config
           env:
             - name: POSTGRES_PASSWORD
               valueFrom:
@@ -30,8 +42,12 @@ spec:
                   key: postgres-password
             - name: DATABASE_URL
               value: postgresql://neuralnav:$(POSTGRES_PASSWORD)@postgres:5432/neuralnav
-            - name: MODEL_CATALOG_URL
-              value: http://model-registry.odh-model-registries.svc:8080
+            - name: MODEL_CATALOG_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: neuralnav-secrets
+                  key: model-catalog-token
+                  optional: true
             - name: OLLAMA_HOST
               value: http://ollama:11434
             - name: OLLAMA_MODEL
@@ -42,6 +58,10 @@ spec:
               value: "8000"
             - name: CORS_ORIGINS
               value: "*"
+          volumeMounts:
+            - name: service-ca
+              mountPath: /etc/pki/service-ca
+              readOnly: true
           readinessProbe:
             httpGet:
               path: /health
@@ -63,6 +83,11 @@ spec:
             limits:
               cpu: "2"
               memory: 2Gi
+      volumes:
+        - name: service-ca
+          configMap:
+            name: neuralnav-service-ca
+            optional: true
 ---
 apiVersion: v1
 kind: Service

deploy/kubernetes/configmap.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: neuralnav-config
+  namespace: neuralnav
+  labels:
+    app.kubernetes.io/part-of: neuralnav
+data:
+  # Benchmark data source: "postgresql" (default) or "model_catalog" (RHOAI)
+  NEURALNAV_BENCHMARK_SOURCE: postgresql
+
+  # Model Catalog connection (only used when NEURALNAV_BENCHMARK_SOURCE=model_catalog)
+  MODEL_CATALOG_URL: https://model-catalog.rhoai-model-registries.svc:8443
+  MODEL_CATALOG_SOURCE_ID: redhat_ai_validated_models
+  MODEL_CATALOG_VERIFY_SSL: "true"
+  # Path to the OpenShift service-serving CA bundle (mounted via service-ca ConfigMap)
+  MODEL_CATALOG_CA_BUNDLE: /etc/pki/service-ca/service-ca.crt

deploy/kubernetes/deploy-all.sh

@@ -3,14 +3,47 @@ set -e
 
 echo "Deploying NeuralNav..."
 
+# Apply base infrastructure (everything except backend, which needs
+# service-ca and NetworkPolicy to be ready first)
 oc apply -f deploy/kubernetes/namespace.yaml \
          -f deploy/kubernetes/secrets.yaml \
+         -f deploy/kubernetes/configmap.yaml \
+         -f deploy/kubernetes/service-ca-configmap.yaml \
          -f deploy/kubernetes/postgres.yaml \
          -f deploy/kubernetes/ollama.yaml \
-         -f deploy/kubernetes/backend.yaml \
          -f deploy/kubernetes/ui.yaml \
          -f deploy/kubernetes/route.yaml
 
+# Cross-namespace NetworkPolicy (allows neuralnav backend -> Model Catalog)
+BENCHMARK_SOURCE=$(oc get configmap neuralnav-config -n neuralnav -o jsonpath='{.data.NEURALNAV_BENCHMARK_SOURCE}') || {
+  echo "Warning: Failed to read neuralnav-config configmap, skipping Model Catalog network policy"
+  BENCHMARK_SOURCE=""
+}
+if [ "$BENCHMARK_SOURCE" = "model_catalog" ]; then
+  echo "Applying Model Catalog network policy..."
+  oc apply -f deploy/kubernetes/networkpolicy-model-catalog.yaml
+
+  echo "Waiting for service-ca certificate injection..."
+  for i in $(seq 1 30); do
+    if oc get configmap neuralnav-service-ca -n neuralnav -o jsonpath='{.data.service-ca\.crt}' 2>/dev/null | grep -q "BEGIN CERTIFICATE"; then
+      echo "Service CA certificate is ready."
+      break
+    fi
+    if [ "$i" -eq 30 ]; then
+      echo "Error: Timed out waiting for service-ca certificate injection" >&2
+      exit 1
+    fi
+    sleep 2
+  done
+else
+  echo "Skipping Model Catalog network policy (benchmark source: ${BENCHMARK_SOURCE:-postgresql})"
+  oc delete -f deploy/kubernetes/networkpolicy-model-catalog.yaml --ignore-not-found
+fi
+
+# Apply backend after prerequisites are ready
+echo "Deploying backend..."
+oc apply -f deploy/kubernetes/backend.yaml
+
 echo "Waiting for PostgreSQL to be ready..."
 oc wait --for=condition=ready pod -l app.kubernetes.io/name=postgres -n neuralnav --timeout=120s
 

deploy/kubernetes/networkpolicy-model-catalog.yaml

@@ -0,0 +1,29 @@
+# Allow the neuralnav namespace to reach the Model Catalog API
+# in rhoai-model-registries.  Applied separately because the target
+# namespace is outside of neuralnav.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-neuralnav-to-model-catalog
+  namespace: rhoai-model-registries
+  labels:
+    app.kubernetes.io/part-of: neuralnav
+spec:
+  # Match the Model Catalog pods.  Use a single label to avoid
+  # fragility if the upstream deployment labels change.
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: model-catalog
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: neuralnav
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: backend
+      ports:
+        - port: 8443
+          protocol: TCP
+  policyTypes:
+    - Ingress

deploy/kubernetes/secrets.yaml

@@ -8,3 +8,6 @@ metadata:
 type: Opaque
 stringData:
   postgres-password: changeme
+  # Model Catalog bearer token (only needed when NEURALNAV_BENCHMARK_SOURCE=model_catalog)
+  # On OpenShift, can use the ServiceAccount token instead
+  model-catalog-token: ""

deploy/kubernetes/service-ca-configmap.yaml

@@ -0,0 +1,11 @@
+# OpenShift injects the service-serving CA bundle into this ConfigMap.
+# The annotation triggers automatic injection of the cluster's service CA.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: neuralnav-service-ca
+  namespace: neuralnav
+  labels:
+    app.kubernetes.io/part-of: neuralnav
+  annotations:
+    service.beta.openshift.io/inject-cabundle: "true"

docker-compose.yml

@@ -60,6 +60,16 @@ services:
       API_HOST: 0.0.0.0
       API_PORT: 8000
 
+      # Benchmark data source: "postgresql" (default) or "model_catalog" (RHOAI)
+      NEURALNAV_BENCHMARK_SOURCE: ${NEURALNAV_BENCHMARK_SOURCE:-postgresql}
+
+      # Model Catalog connection (only used when NEURALNAV_BENCHMARK_SOURCE=model_catalog)
+      MODEL_CATALOG_URL: ${MODEL_CATALOG_URL:-}
+      MODEL_CATALOG_TOKEN: ${MODEL_CATALOG_TOKEN:-}
+      MODEL_CATALOG_SOURCE_ID: ${MODEL_CATALOG_SOURCE_ID:-redhat_ai_validated_models}
+      MODEL_CATALOG_VERIFY_SSL: ${MODEL_CATALOG_VERIFY_SSL:-true}
+      MODEL_CATALOG_CA_BUNDLE: ${MODEL_CATALOG_CA_BUNDLE:-}
+
       # Enable CORS for local development
       CORS_ORIGINS: http://localhost:8501,http://ui:8501
     volumes:

scripts/schema.sql

@@ -51,9 +51,18 @@ CREATE TABLE IF NOT EXISTS exported_summaries (
     profiler_type text,
     profiler_image text,
     profiler_tag text,
+    source text NOT NULL DEFAULT 'local',
+    model_uri text,
     CONSTRAINT exported_summaries_pkey PRIMARY KEY (id)
 );
 
+-- Idempotent migrations for existing databases
+ALTER TABLE exported_summaries ADD COLUMN IF NOT EXISTS source text NOT NULL DEFAULT 'local';
+ALTER TABLE exported_summaries ADD COLUMN IF NOT EXISTS model_uri text;
+
+-- Unique constraint on config_id (required for ON CONFLICT in upsert queries)
+CREATE UNIQUE INDEX IF NOT EXISTS idx_config_id_unique ON exported_summaries (config_id);
+
 -- Create indexes for efficient lookups
 CREATE INDEX IF NOT EXISTS idx_benchmark_lookup
 ON exported_summaries(model_hf_repo, hardware, hardware_count, prompt_tokens, output_tokens);

src/neuralnav/api/dependencies.py

@@ -8,7 +8,8 @@
 import asyncio
 import logging
 import os
-from typing import cast
+import threading
+from typing import Any, cast
 
 from fastapi import FastAPI, HTTPException, Request, status
 from starlette.concurrency import run_in_threadpool
@@ -29,6 +30,63 @@
 )
 logger = logging.getLogger(__name__)
 
+_VALID_BENCHMARK_SOURCES = {"postgresql", "model_catalog"}
+
+
+def _get_benchmark_source_type() -> str:
+    """Get configured benchmark source type."""
+    source = os.getenv("NEURALNAV_BENCHMARK_SOURCE", "postgresql").strip().lower()
+    if source not in _VALID_BENCHMARK_SOURCES:
+        logger.warning(
+            "Unknown NEURALNAV_BENCHMARK_SOURCE='%s'; defaulting to 'postgresql'",
+            source,
+        )
+        return "postgresql"
+    return source
+
+
+def _sync_model_catalog_async(
+    client: Any,
+    database_url: str,
+    model_catalog: ModelCatalog,
+    quality_scorer: Any,
+) -> threading.Thread:
+    """Run Model Catalog sync in a background thread.
+
+    The app starts serving immediately (health probes, etc.)
+    while catalog data syncs in the background.
+    """
+
+    def _sync() -> None:
+        try:
+            import psycopg2
+
+            from neuralnav.knowledge_base.model_catalog_sync import sync_model_catalog
+
+            logger.info("Background sync: loading Model Catalog data into PostgreSQL...")
+            conn = psycopg2.connect(database_url)
+            try:
+                result = sync_model_catalog(
+                    client=client,
+                    conn=conn,
+                    model_catalog=model_catalog,
+                    quality_scorer=quality_scorer,
+                )
+                if result.errors:
+                    logger.warning(
+                        "Model Catalog sync completed with %d errors", len(result.errors)
+                    )
+                else:
+                    logger.info("Background sync: Model Catalog data ready")
+            finally:
+                conn.close()
+        except Exception:
+            logger.exception("Background Model Catalog sync failed")
+
+    thread = threading.Thread(target=_sync, name="model-catalog-sync", daemon=True)
+    thread.start()
+    return thread
+
 
 # ---------------------------------------------------------------------------
 # Lifespan: initialize all singletons on app.state
@@ -37,12 +95,42 @@
 
 def init_app_state(app: FastAPI) -> None:
     """Initialize all singletons on app.state during lifespan startup."""
+    source_type = _get_benchmark_source_type()
+
+    # Always create the same components — single code path
     app.state.model_catalog = ModelCatalog()
     app.state.slo_repo = SLOTemplateRepository()
     app.state.deployment_generator = DeploymentGenerator(simulator_mode=False)
     app.state.yaml_validator = YAMLValidator()
     app.state.cluster_managers = {}  # dict[str, KubernetesClusterManager]
-    app.state.workflow = RecommendationWorkflow()
+
+    if source_type == "model_catalog":
+        from neuralnav.knowledge_base.model_catalog_client import ModelCatalogClient
+        from neuralnav.recommendation.config_finder import ConfigFinder
+        from neuralnav.recommendation.quality.usecase_scorer import UseCaseQualityScorer
+
+        client = ModelCatalogClient()
+        app.state.model_catalog_client = client
+        quality_scorer = UseCaseQualityScorer()
+
+        # Wire shared instances so sync updates propagate to recommendations
+        config_finder = ConfigFinder(catalog=app.state.model_catalog, quality_scorer=quality_scorer)
+        app.state.workflow = RecommendationWorkflow(config_finder=config_finder)
+
+        database_url = os.getenv(
+            "DATABASE_URL",
+            "postgresql://postgres:neuralnav@localhost:5432/neuralnav",
+        )
+
+        logger.info("Using Model Catalog as benchmark source (syncing to PostgreSQL)")
+        app.state.model_catalog_sync_thread = _sync_model_catalog_async(
+            client, database_url, app.state.model_catalog, quality_scorer
+        )
+    else:
+        app.state.model_catalog_client = None
+        app.state.model_catalog_sync_thread = None
+        app.state.workflow = RecommendationWorkflow()
+        logger.info("Using PostgreSQL as benchmark source")
 
 
 # ---------------------------------------------------------------------------