Federated mr implementation (#1288)

Enable MR access in federated mode

Signed-off-by: lucferbux <[email protected]>

Author: lucferbux

clients/ui/Makefile

@@ -32,11 +32,11 @@ dev-install-dependencies:
 
 .PHONY: dev-bff
 dev-bff:
-	cd bff && make run PORT=4000 MOCK_K8S_CLIENT=true MOCK_MR_CLIENT=true DEV_MODE=true STANDALONE_MODE=true FEDERATED_PLATFORM=false
+	cd bff && make run PORT=4000 MOCK_K8S_CLIENT=true MOCK_MR_CLIENT=true DEV_MODE=true DEPLOYMENT_MODE=standalone
 
 .PHONY: dev-frontend
 dev-frontend:
-	DEPLOYMENT_MODE=standalone && STYLE_THEME=mui-theme cd frontend && npm run start:dev
+	cd frontend && DEPLOYMENT_MODE=standalone STYLE_THEME=mui-theme npm run start:dev
 
 .PHONY: dev-start
 dev-start: 
@@ -49,24 +49,24 @@ dev-start-kubeflow:
 
 .PHONY: dev-frontend-kubeflow
 dev-frontend-kubeflow:
-	DEPLOYMENT_MODE=kubeflow && STYLE_THEME=mui-theme && cd frontend && npm run start:dev
+	cd frontend && DEPLOYMENT_MODE=kubeflow STYLE_THEME=mui-theme npm run start:dev
 
 .PHONY: dev-bff-kubeflow
 dev-bff-kubeflow:
-	cd bff && make run PORT=4000 MOCK_K8S_CLIENT=false MOCK_MR_CLIENT=false DEV_MODE=true STANDALONE_MODE=false FEDERATED_PLATFORM=false DEV_MODE_PORT=8085
+	cd bff && make run PORT=4000 MOCK_K8S_CLIENT=false MOCK_MR_CLIENT=false DEV_MODE=true DEPLOYMENT_MODE=kubeflow DEV_MODE_PORT=8085
 
-########### Dev Federated ############
+########### Dev Federated ###########
 .PHONY: dev-start-federated
 dev-start-federated: 
 	make -j 2 dev-bff-federated dev-frontend-federated
 
 .PHONY: dev-frontend-federated
 dev-frontend-federated:
-	DEPLOYMENT_MODE=federated && STYLE_THEME=patternfly && cd frontend && npm run start:dev
+	cd frontend && AUTH_METHOD=user_token DEPLOYMENT_MODE=federated STYLE_THEME=patternfly npm run start:dev
 
 .PHONY: dev-bff-federated
 dev-bff-federated:
-	cd bff && make run PORT=4000 MOCK_K8S_CLIENT=false MOCK_MR_CLIENT=false DEV_MODE=true STANDALONE_MODE=false FEDERATED_PLATFORM=true DEV_MODE_PORT=8085
+	cd bff && make run PORT=4000 MOCK_K8S_CLIENT=false MOCK_MR_CLIENT=false DEV_MODE=true DEPLOYMENT_MODE=federated DEV_MODE_PORT=8085 AUTH_METHOD=user_token AUTH_TOKEN_HEADER=x-forwarded-access-token AUTH_TOKEN_PREFIX=""
 
 ############ Build ############
 
@@ -121,7 +121,7 @@ kubeflow-deployment:
 ############ Build ############	
 .PHONY: frontend-build
 frontend-build:
-	cd frontend && DEPLOYMENT_MODE=kubeflow && npm run build:prod
+	cd frontend && DEPLOYMENT_MODE=kubeflow npm run build:prod
 
 .PHONY: frontend-build-standalone
 frontend-build-standalone:

clients/ui/bff/internal/api/middleware.go

@@ -8,6 +8,7 @@ import (
 	"runtime/debug"
 	"strings"
 
+	"github.com/kubeflow/model-registry/ui/bff/internal/config"
 	"github.com/kubeflow/model-registry/ui/bff/internal/integrations/kubernetes"
 	"github.com/kubeflow/model-registry/ui/bff/internal/integrations/mrserver"
 
@@ -102,7 +103,7 @@ func (app *App) AttachRESTClient(next func(http.ResponseWriter, *http.Request, h
 			return
 		}
 
-		modelRegistry, err := app.repositories.ModelRegistry.GetModelRegistry(r.Context(), client, namespace, modelRegistryID)
+		modelRegistry, err := app.repositories.ModelRegistry.GetModelRegistryWithMode(r.Context(), client, namespace, modelRegistryID, app.config.DeploymentMode.IsFederatedMode())
 		if err != nil {
 			app.notFoundResponse(w, r)
 			return
@@ -111,8 +112,9 @@ func (app *App) AttachRESTClient(next func(http.ResponseWriter, *http.Request, h
 
 		// If we are in dev mode, we need to resolve the server address to the local host
 		// to allow the client to connect to the model registry via port forwarded from the cluster to the local machine.
-		if app.config.DevMode {
-			modelRegistryBaseURL = app.repositories.ModelRegistry.ResolveServerAddress("localhost", int32(app.config.DevModePort), modelRegistry.IsHTTPS)
+		// If you are in federated mode, we do not want to override the server address.
+		if app.config.DevMode && !app.config.DeploymentMode.IsFederatedMode() {
+			modelRegistryBaseURL = app.repositories.ModelRegistry.ResolveServerAddress("localhost", int32(app.config.DevModePort), modelRegistry.IsHTTPS, "", app.config.DeploymentMode.IsFederatedMode())
 		}
 
 		// Set up a child logger for the rest client that automatically adds the request id to all statements for
@@ -127,7 +129,21 @@ func (app *App) AttachRESTClient(next func(http.ResponseWriter, *http.Request, h
 			}
 		}
 
-		restHttpClient, err := mrserver.NewHTTPClient(restClientLogger, modelRegistryID, modelRegistryBaseURL)
+		// Prepare headers for the REST client
+		headers := http.Header{}
+
+		// If using user token authentication, extract and forward the authorization header
+		if app.config.AuthMethod == config.AuthMethodUser {
+			identity, ok := r.Context().Value(constants.RequestIdentityKey).(*kubernetes.RequestIdentity)
+			if ok && identity != nil && identity.Token != "" {
+				// Always send as "Authorization: Bearer <token>" regardless of incoming header format
+				// The identity.Token already has any prefix removed by ExtractRequestIdentity
+				authHeaderValue := "Bearer " + identity.Token
+				headers.Set("Authorization", authHeaderValue)
+			}
+		}
+
+		restHttpClient, err := mrserver.NewHTTPClient(restClientLogger, modelRegistryID, modelRegistryBaseURL, headers)
 		if err != nil {
 			app.serverErrorResponse(w, r, fmt.Errorf("failed to create Kubernetes client: %v", err))
 			return

clients/ui/bff/internal/api/model_registry_handler.go

@@ -25,7 +25,7 @@ func (app *App) GetAllModelRegistriesHandler(w http.ResponseWriter, r *http.Requ
 		return
 	}
 
-	registries, err := app.repositories.ModelRegistry.GetAllModelRegistries(r.Context(), client, namespace)
+	registries, err := app.repositories.ModelRegistry.GetAllModelRegistriesWithMode(r.Context(), client, namespace, app.config.DeploymentMode.IsFederatedMode())
 	if err != nil {
 		app.serverErrorResponse(w, r, err)
 		return

clients/ui/bff/internal/integrations/kubernetes/shared_k8s_client.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"strings"
 	"time"
 
 	"github.com/kubeflow/model-registry/ui/bff/internal/constants"
@@ -96,25 +97,30 @@ func buildServiceDetails(service *corev1.Service, logger *slog.Logger) (*Service
 
 	displayName := ""
 	description := ""
+	externalAddressRest := ""
+
+	// Check for annotations including external-address-rest
 	if service.Annotations != nil {
 		displayName = service.Annotations["displayName"]
 		description = service.Annotations["description"]
-	}
 
-	if displayName == "" {
-		logger.Warn("service missing displayName annotation", "serviceName", service.Name)
-	}
-	if description == "" {
-		logger.Warn("service missing description annotation", "serviceName", service.Name)
+		// Look for external-address-rest annotation with any prefix
+		for key, value := range service.Annotations {
+			if strings.HasSuffix(key, "/external-address-rest") {
+				externalAddressRest = value
+				break
+			}
+		}
 	}
 
 	return &ServiceDetails{
-		Name:        service.Name,
-		DisplayName: displayName,
-		Description: description,
-		ClusterIP:   service.Spec.ClusterIP,
-		HTTPPort:    httpPort,
-		IsHTTPS:     isHTTPS,
+		Name:                service.Name,
+		DisplayName:         displayName,
+		Description:         description,
+		ClusterIP:           service.Spec.ClusterIP,
+		HTTPPort:            httpPort,
+		IsHTTPS:             isHTTPS,
+		ExternalAddressRest: externalAddressRest,
 	}, nil
 }
 

clients/ui/bff/internal/integrations/kubernetes/types.go

@@ -1,12 +1,13 @@
 package kubernetes
 
 type ServiceDetails struct {
-	Name        string
-	DisplayName string
-	Description string
-	ClusterIP   string
-	HTTPPort    int32
-	IsHTTPS     bool
+	Name                string
+	DisplayName         string
+	Description         string
+	ClusterIP           string
+	HTTPPort            int32
+	IsHTTPS             bool
+	ExternalAddressRest string
 }
 
 type RequestIdentity struct {

clients/ui/bff/internal/integrations/mrserver/http.go

@@ -24,6 +24,7 @@ type HTTPClient struct {
 	baseURL         string
 	ModelRegistryID string
 	logger          *slog.Logger
+	Headers         http.Header
 }
 
 type ErrorResponse struct {
@@ -40,7 +41,7 @@ func (e *HTTPError) Error() string {
 	return fmt.Sprintf("HTTP %d: %s - %s", e.StatusCode, e.Code, e.Message)
 }
 
-func NewHTTPClient(logger *slog.Logger, modelRegistryID string, baseURL string) (HTTPClientInterface, error) {
+func NewHTTPClient(logger *slog.Logger, modelRegistryID string, baseURL string, headers http.Header) (HTTPClientInterface, error) {
 
 	return &HTTPClient{
 		client: &http.Client{Transport: &http.Transport{
@@ -49,6 +50,7 @@ func NewHTTPClient(logger *slog.Logger, modelRegistryID string, baseURL string)
 		baseURL:         baseURL,
 		ModelRegistryID: modelRegistryID,
 		logger:          logger,
+		Headers:         headers,
 	}, nil
 }
 
@@ -65,6 +67,8 @@ func (c *HTTPClient) GET(url string) ([]byte, error) {
 		return nil, err
 	}
 
+	c.applyHeaders(req)
+
 	logUpstreamReq(c.logger, requestId, req)
 
 	response, err := c.client.Do(req)
@@ -120,6 +124,8 @@ func (c *HTTPClient) POST(url string, body io.Reader) ([]byte, error) {
 
 	req.Header.Set("Content-Type", "application/json")
 
+	c.applyHeaders(req)
+
 	logUpstreamReq(c.logger, requestId, req)
 
 	response, err := c.client.Do(req)
@@ -175,6 +181,8 @@ func (c *HTTPClient) PATCH(url string, body io.Reader) ([]byte, error) {
 
 	req.Header.Set("Content-Type", "application/json")
 
+	c.applyHeaders(req)
+
 	logUpstreamReq(c.logger, requestId, req)
 
 	response, err := c.client.Do(req)
@@ -218,6 +226,16 @@ func (c *HTTPClient) PATCH(url string, body io.Reader) ([]byte, error) {
 	return responseBody, nil
 }
 
+func (c *HTTPClient) applyHeaders(req *http.Request) {
+	if c.Headers != nil {
+		for key, values := range c.Headers {
+			for _, value := range values {
+				req.Header.Add(key, value)
+			}
+		}
+	}
+}
+
 func logUpstreamReq(logger *slog.Logger, reqId string, req *http.Request) {
 	logger.Debug("Making upstream HTTP request", slog.String("request_id", reqId), slog.Any("request", helper.RequestLogValuer{Request: req}))
 }

clients/ui/bff/internal/integrations/mrserver/http_test.go

@@ -37,7 +37,7 @@ func TestHTTPClient_GET_Success(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
 	require.NoError(t, err)
 
 	// Make the request
@@ -73,7 +73,7 @@ func TestHTTPClient_GET_Error(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
 	require.NoError(t, err)
 
 	// Make the request
@@ -123,7 +123,7 @@ func TestHTTPClient_POST_Success(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
 	require.NoError(t, err)
 
 	// Prepare request body
@@ -164,7 +164,7 @@ func TestHTTPClient_POST_Error(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
 	require.NoError(t, err)
 
 	// Prepare request body
@@ -218,7 +218,7 @@ func TestHTTPClient_PATCH_Success(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
 	require.NoError(t, err)
 
 	// Prepare request body
@@ -259,7 +259,7 @@ func TestHTTPClient_PATCH_Error(t *testing.T) {
 
 	// Create client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
 	require.NoError(t, err)
 
 	// Prepare request body
@@ -300,7 +300,7 @@ func TestHTTPClient_GET_NonJSONError(t *testing.T) {
 
 	// Create http client pointing to test server
 	logger := setupTestLogger()
-	client, err := NewHTTPClient(logger, "test-registry", server.URL)
+	client, err := NewHTTPClient(logger, "test-registry", server.URL, nil)
 	require.NoError(t, err)
 
 	// Make the request

clients/ui/bff/internal/repositories/model_registry.go

@@ -17,6 +17,12 @@ func NewModelRegistryRepository() *ModelRegistryRepository {
 }
 
 func (m *ModelRegistryRepository) GetAllModelRegistries(sessionCtx context.Context, client k8s.KubernetesClientInterface, namespace string) ([]models.ModelRegistryModel, error) {
+	// Default to non-federated mode for backward compatibility
+	return m.GetAllModelRegistriesWithMode(sessionCtx, client, namespace, false)
+}
+
+// GetAllModelRegistriesWithMode fetches all model registries with support for federated mode
+func (m *ModelRegistryRepository) GetAllModelRegistriesWithMode(sessionCtx context.Context, client k8s.KubernetesClientInterface, namespace string, isFederatedMode bool) ([]models.ModelRegistryModel, error) {
 
 	// TODO: In default mode fetch Routes for external access.
 	resources, err := client.GetServiceDetails(sessionCtx, namespace)
@@ -27,7 +33,7 @@ func (m *ModelRegistryRepository) GetAllModelRegistries(sessionCtx context.Conte
 
 	var registries = []models.ModelRegistryModel{}
 	for _, s := range resources {
-		serverAddress := m.ResolveServerAddress(s.ClusterIP, s.HTTPPort, s.IsHTTPS)
+		serverAddress := m.ResolveServerAddress(s.ClusterIP, s.HTTPPort, s.IsHTTPS, s.ExternalAddressRest, isFederatedMode)
 		registry := models.ModelRegistryModel{
 			Name:          s.Name,
 			Description:   s.Description,
@@ -42,6 +48,12 @@ func (m *ModelRegistryRepository) GetAllModelRegistries(sessionCtx context.Conte
 }
 
 func (m *ModelRegistryRepository) GetModelRegistry(sessionCtx context.Context, client k8s.KubernetesClientInterface, namespace string, modelRegistryID string) (models.ModelRegistryModel, error) {
+	// Default to non-federated mode for backward compatibility
+	return m.GetModelRegistryWithMode(sessionCtx, client, namespace, modelRegistryID, false)
+}
+
+// GetModelRegistryWithMode fetches a specific model registry with support for federated mode
+func (m *ModelRegistryRepository) GetModelRegistryWithMode(sessionCtx context.Context, client k8s.KubernetesClientInterface, namespace string, modelRegistryID string, isFederatedMode bool) (models.ModelRegistryModel, error) {
 
 	s, err := client.GetServiceDetailsByName(sessionCtx, namespace, modelRegistryID)
 	if err != nil {
@@ -52,18 +64,26 @@ func (m *ModelRegistryRepository) GetModelRegistry(sessionCtx context.Context, c
 		Name:          s.Name,
 		Description:   s.Description,
 		DisplayName:   s.DisplayName,
-		ServerAddress: m.ResolveServerAddress(s.ClusterIP, s.HTTPPort, s.IsHTTPS),
+		ServerAddress: m.ResolveServerAddress(s.ClusterIP, s.HTTPPort, s.IsHTTPS, s.ExternalAddressRest, isFederatedMode),
 		IsHTTPS:       s.IsHTTPS,
 	}
 
 	return modelRegistry, nil
 }
 
-func (m *ModelRegistryRepository) ResolveServerAddress(clusterIP string, httpPort int32, isHTTPS bool) string {
+func (m *ModelRegistryRepository) ResolveServerAddress(clusterIP string, httpPort int32, isHTTPS bool, externalAddressRest string, isFederatedMode bool) string {
+	// Default behavior - use cluster IP and port
 	protocol := "http"
 	if isHTTPS {
 		protocol = "https"
 	}
+	// In federated mode, if external address is available, use it
+	if isFederatedMode && externalAddressRest != "" {
+		// External address is assumed to be HTTPS
+		url := fmt.Sprintf("%s://%s/api/model_registry/v1alpha3", protocol, externalAddressRest)
+		return url
+	}
+
 	url := fmt.Sprintf("%s://%s:%d/api/model_registry/v1alpha3", protocol, clusterIP, httpPort)
 	return url
 }

clients/ui/frontend/config/dotenv.js

@@ -146,6 +146,7 @@ const setupDotenvFilesForEnv = ({ env }) => {
   setupDotenvFile(path.resolve(RELATIVE_DIRNAME, '.env'));
 
   const DEPLOYMENT_MODE = process.env.DEPLOYMENT_MODE || 'kubeflow';
+  const AUTH_METHOD = process.env.AUTH_METHOD || 'internal';
   const IMAGES_DIRNAME = process.env.IMAGES_DIRNAME || 'images';
   const PUBLIC_PATH = process.env.PUBLIC_PATH || '/';
   const SRC_DIR = path.resolve(RELATIVE_DIRNAME, process.env.SRC_DIR || TS_BASE_URL || 'src');
@@ -174,6 +175,7 @@ const setupDotenvFilesForEnv = ({ env }) => {
   process.env._OUTPUT_ONLY = OUTPUT_ONLY;
   process.env._DEV_MODE = DEV_MODE;
   process.env._DEPLOYMENT_MODE = DEPLOYMENT_MODE;
+  process.env._AUTH_METHOD = AUTH_METHOD;
 };
 
 module.exports = { setupWebpackDotenvFilesForEnv, setupDotenvFilesForEnv };