update: chart for deployment on ocp, kind, k8s

- update on Makefile for ocp, we should not have prom stack or GW
  created on ocp
- fix the order of prompt warning if should create GW
- update helm template for handling tls cert
  ocp: just use annotation which creates the cert in the mounted secret-
  kind/k8s: if set a caCerrPath with non-default value, use it, by
  install.sh, it creates the secret prometheus-web-tls and with tls.crt
  as the key inside. no need extract secret's tls.crt
- add missing config for values-dev.yaml
- deprecate "caCert" instead of new caCertPath or existingSecret + key

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

update: cleanup

- remove cert extraction for prom adaptor
- remove creation of configmap
- remove reference in OCP

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

update: bump version for llm-d and all images + add support for podman

- use env variable LLM_D_RELEASE to control all image in the
  deploy/install.sh
- clone llm-d to local based on local version if match required release
  version
- use env variable CONTAINER_TOOL to support podmano on fedora
- remove/update *ignore files

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

fix: k8s label cannot have "/" sanitize MODLE_ID

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

fix: add timeout for prom adaptor + create secret in wva namespace from
prom ns

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

fix: github action e2e which uses "LLM_D_RELEASE:main"

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

fix: API bump

- old test was based on v1alph2 of GIE for infpool
- new default is on v1 for infpool

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

update: code review and go fmt

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

Author: zdtsw

.dockerignore

@@ -14,6 +14,7 @@ vendor/
 
 # Submodules and sibling repos (not needed for building the manager binary)
 sample-data/
+llm-d/
 llm-d-infra/
 # If building from a parent repo that includes llmd or GAIE, add:
 # llmd/

.github/workflows/ci-e2e-openshift.yaml

@@ -398,7 +398,8 @@ jobs:
       HPA_STABILIZATION_SECONDS: ${{ github.event.inputs.hpa_stabilization_seconds || '240' }}
       SKIP_CLEANUP: ${{ github.event.inputs.skip_cleanup || 'false' }}
       # Use main branch of llm-d/llm-d for inferencepool chart v1.2.1 (GA API support)
-      LLM_D_RELEASE: main
+      LLM_D_EPP_RELEASE: main
+      LLM_D_SIM_RELEASE: main
       # PR-specific namespaces for isolation between concurrent PR tests
       # Primary llm-d namespace (Model A1 + A2)
       LLMD_NAMESPACE: llm-d-inference-scheduler-pr-${{ needs.gate.outputs.pr_number || github.run_id }}

.gitignore

@@ -30,8 +30,6 @@ gpu.cluster
 # llm-d and llm-d-infra directories
 llm-d/
 llm-d-infra/
-llmd/
-llmd-infra/
 
 *.tgz
 actionlint

Makefile

@@ -7,7 +7,7 @@ CLUSTER_GPU_TYPE ?= nvidia-mix
 CLUSTER_NODES ?= 3
 CLUSTER_GPUS ?= 4
 KUBECONFIG ?= $(HOME)/.kube/config
-K8S_VERSION ?= v1.32.0
+K8S_VERSION ?= v1.32.0 # match OCP 4.19
 
 CONTROLLER_NAMESPACE ?= workload-variant-autoscaler-system
 MONITORING_NAMESPACE ?= openshift-user-workload-monitoring
@@ -44,7 +44,7 @@ endif
 # CONTAINER_TOOL defines the container tool to be used for building images.
 # Be aware that the target commands are only tested with Docker which is
 # scaffolded by default. However, you might want to replace it to use other
-# tools. (i.e. podman)
+# tools. (i.e. docker, podman)
 CONTAINER_TOOL ?= docker
 
 # Setting SHELL to bash allows bash commands to be executed by recipes.
@@ -127,9 +127,9 @@ undeploy-wva-emulated-on-kind:
 ## Deploy WVA to OpenShift cluster with specified image.
 .PHONY: deploy-wva-on-openshift
 deploy-wva-on-openshift: manifests kustomize ## Deploy WVA to OpenShift cluster with specified image.
-	@echo "Deploying WVA to OpenShift with image: $(IMG)"
+	@echo "Deploying WVA to OpenShift with image: $(IMG) by default no GW nor Prom stack to be created"
 	@echo "Target namespace: $(or $(NAMESPACE),workload-variant-autoscaler-system)"
-	NAMESPACE=$(or $(NAMESPACE),workload-variant-autoscaler-system) IMG=$(IMG) ENVIRONMENT=openshift DEPLOY_LLM_D=$(DEPLOY_LLM_D) ./deploy/install.sh
+	NAMESPACE=$(or $(NAMESPACE),workload-variant-autoscaler-system) IMG=$(IMG) ENVIRONMENT=openshift INSTALL_GATEWAY_CTRLPLANE=false DEPLOY_PROMETHEUS=false DEPLOY_LLM_D=$(DEPLOY_LLM_D) ./deploy/install.sh
 
 ## Undeploy WVA from OpenShift.
 .PHONY: undeploy-wva-on-openshift
@@ -197,6 +197,7 @@ deploy-e2e-infra: ## Deploy e2e test infrastructure (infra-only: WVA + llm-d, no
 		WVA_IMAGE_REPO=$$IMAGE_REPO \
 		WVA_IMAGE_TAG=$$IMAGE_TAG \
 		WVA_IMAGE_PULL_POLICY=IfNotPresent \
+		CONTAINER_TOOL=$(CONTAINER_TOOL) \
 		./deploy/install.sh; \
 	else \
 		echo "IMG not set - using default image from registry (latest)"; \
@@ -207,6 +208,7 @@ deploy-e2e-infra: ## Deploy e2e test infrastructure (infra-only: WVA + llm-d, no
 		SCALER_BACKEND=$(SCALER_BACKEND) \
 		INSTALL_GATEWAY_CTRLPLANE=true \
 		NAMESPACE_SCOPED=false \
+		CONTAINER_TOOL=$(CONTAINER_TOOL) \
 		./deploy/install.sh; \
 	fi
 

charts/workload-variant-autoscaler/templates/manager/wva-deployment-controller-manager.yaml

@@ -105,10 +105,14 @@ spec:
           mountPath: /etc/wva/config.yaml
           subPath: config.yaml
           readOnly: true
-        {{- if .Values.wva.prometheus.caCert }}
+        {{- if ne .Values.wva.prometheus.tls.caCertPath "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" }}
         - name: prometheus-ca-cert
-          mountPath: /etc/ssl/certs/prometheus-ca.crt
+          mountPath: {{ .Values.wva.prometheus.tls.caCertPath }}
+          {{- if .Values.wva.prometheus.tls.existingSecret }}
+          subPath: {{ .Values.wva.prometheus.tls.key }}
+          {{- else }}
           subPath: ca.crt
+          {{- end }}
           readOnly: true
         {{- end }}
         - name: epp-metrics-token
@@ -118,10 +122,22 @@ spec:
       - name: wva-config
         configMap:
           name: {{ include "workload-variant-autoscaler.fullname" . }}-variantautoscaling-config
-      {{- if .Values.wva.prometheus.caCert }}
+      {{- if ne .Values.wva.prometheus.tls.caCertPath "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt" }}
       - name: prometheus-ca-cert
+        {{- if .Values.wva.prometheus.tls.existingSecret }}
+        secret:
+          secretName: {{ .Values.wva.prometheus.tls.existingSecret }}
+          {{- if .Values.wva.prometheus.tls.key }}
+          items:
+          - key: {{ .Values.wva.prometheus.tls.key }}
+            path: {{ .Values.wva.prometheus.tls.key }}
+          {{- end }}
+          optional: false
+        {{- else }}
         configMap:
           name: {{ include "workload-variant-autoscaler.fullname" . }}-prometheus-ca
+          optional: true
+        {{- end }}
       {{- end }}
       - name: epp-metrics-token
         secret:

charts/workload-variant-autoscaler/values-dev.yaml

@@ -27,8 +27,13 @@ wva:
     # Development security configuration (relaxed for easier development)
     tls:
       insecureSkipVerify: true   # Development: true, Production: false
-      # caCertPath: "/etc/ssl/certs/prometheus-ca.crt"  # Only used when caCert is provided
-    # caCert: |  # Uncomment and provide your CA certificate
+      # On OpenShift, service CA is auto-injected at this path
+      caCertPath: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
+      # Mount existing Secret for CA certificate (recommended)
+      # This eliminates the need for --set-file and certificate extraction
+      existingSecret: ""      # Name of existing Secret (e.g., "prometheus-web-tls")
+      key: "tls.crt"          # Name of the key in the Secret's data map containing the CA certificate (required when existingSecret is set)
+    # caCert: |  # DEPRECATED: Use above existingSecret instead
     #   -----BEGIN CERTIFICATE-----
     #   YOUR_CA_CERTIFICATE_HERE
     #   -----END CERTIFICATE-----

charts/workload-variant-autoscaler/values.yaml

@@ -37,11 +37,16 @@ wva:
     monitoringNamespace: openshift-user-workload-monitoring
     serviceAccountName: "kube-prometheus-stack-prometheus"
     baseURL: "https://thanos-querier.openshift-monitoring.svc.cluster.local:9091"
-    # Development security configuration (relaxed for easier development)
+    # TLS security configuration
     tls:
       insecureSkipVerify: true   # Development: true, Production: false
-      # caCertPath: "/etc/ssl/certs/prometheus-ca.crt"  # Only used when caCert is provided
-    # caCert: |  # Uncomment and provide your CA certificate
+      # On OpenShift, service CA is auto-injected at this path
+      caCertPath: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
+      # Mount existing Secret for CA certificate (recommended)
+      # This eliminates the need for --set-file and certificate extraction
+      existingSecret: ""      # Name of existing Secret (e.g., "prometheus-web-tls" for kind or k8s)
+      key: "tls.crt"          # Name of the key in the Secret's data map containing the CA certificate (required when existingSecret is set)
+    # caCert: |  # DEPRECATED: Use above existingSecret instead
     #   -----BEGIN CERTIFICATE-----
     #   YOUR_CA_CERTIFICATE_HERE
     #   -----END CERTIFICATE-----

config/samples/dummy-va.yaml

@@ -0,0 +1,47 @@
+# Minimal dummy VariantAutoscaling to satisfy the controller
+# This prevents "No active VariantAutoscalings found" log messages
+# while doing minimal actual work (no real optimization since it's alone)
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: wva-dummy
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dummy-deployment
+  namespace: wva-dummy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dummy
+  template:
+    metadata:
+      labels:
+        app: dummy
+    spec:
+      containers:
+      - name: pause
+        image: registry.k8s.io/pause:3.9
+        resources:
+          requests:
+            cpu: 1m
+            memory: 1Mi
+          limits:
+            cpu: 1m
+            memory: 1Mi
+---
+apiVersion: llmd.ai/v1alpha1
+kind: VariantAutoscaling
+metadata:
+  name: dummy-va
+  namespace: wva-dummy
+  labels:
+    inference.optimization/acceleratorName: dummy
+spec:
+  scaleTargetRef:
+    kind: Deployment
+    name: dummy-deployment
+  modelID: "dummy/model"

config/samples/prometheus-adapter-values-ocp.yaml

@@ -20,18 +20,14 @@ logLevel: 4
 tls:
   enable: false # Inbound TLS (Client → Adapter)
 
-extraVolumes:
-  - name: prometheus-ca
-    configMap:
-      name: prometheus-ca
+# No extra volumes needed - OpenShift auto-injects service CA
+# extraVolumes: []
 
-extraVolumeMounts:
-  - name: prometheus-ca
-    mountPath: /etc/prometheus-ca
-    readOnly: true
+# No extra volume mounts needed - use service CA from projected volume
+# extraVolumeMounts: []
 
 extraArguments:
-  - --prometheus-ca-file=/etc/prometheus-ca/ca.crt
+  - --prometheus-ca-file=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
   - --prometheus-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token
 
 

config/samples/prometheus-adapter-values.yaml

@@ -22,8 +22,11 @@ tls:
 
 extraVolumes:
   - name: prometheus-ca
-    configMap:
-      name: prometheus-ca
+    secret:
+      secretName: prometheus-web-tls  # Secret containing Prom TLS cert
+      items:
+      - key: tls.crt                   # Extract the cert from the Secret
+        path: ca.crt                   # Mount as ca.crt
 
 extraVolumeMounts:
   - name: prometheus-ca