fix: rebase mess

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

Author: zdtsw

.github/workflows/ci-e2e-openshift.yaml

@@ -398,6 +398,7 @@ jobs:
       HPA_STABILIZATION_SECONDS: ${{ github.event.inputs.hpa_stabilization_seconds || '240' }}
       SKIP_CLEANUP: ${{ github.event.inputs.skip_cleanup || 'false' }}
       # Use main branch of llm-d/llm-d for inferencepool chart v1.2.1 (GA API support)
+      LLM_D_RELEASE: main
       LLM_D_EPP_RELEASE: main
       LLM_D_SIM_RELEASE: main
       # PR-specific namespaces for isolation between concurrent PR tests

config/samples/dummy-va.yaml

@@ -288,15 +288,16 @@ Deploy with a specific llm-d release version and use Podman instead of Docker:
 
 ```bash
 export HF_TOKEN="hf_xxxxx"
-export LLM_D_EPP_RELEASE="v0.7.1"      # Pin to specific llm-d-inference-scheduler version
-export LLM_D_SIM_RELEASE="v0.8.2"      # Pin to specific llm-d-inference-sim version
-export CONTAINER_TOOL=podman       # Use Podman instead of Docker
+export LLM_D_RELEASE="v0.6.0"          # Pin llm-d repo clone version
+export LLM_D_EPP_RELEASE="v0.7.1"      # Pin llm-d-inference-scheduler image tag
+export LLM_D_SIM_RELEASE="v0.8.2"      # Pin llm-d-inference-sim image tag
+export CONTAINER_TOOL=podman            # Use Podman instead of Docker
 make deploy-wva-emulated-on-kind
 
-# The variable automatically sets:
+# These variables independently control:
+# - LLM_D_RELEASE: which branch/tag of the llm-d repo to clone
 # - LLM_D_INFERENCE_SCHEDULER_IMG=ghcr.io/llm-d/llm-d-inference-scheduler:v0.7.1
 # - LLM_D_INFERENCE_SIM_IMG=ghcr.io/llm-d/llm-d-inference-sim:v0.8.2
-# - llm-d repository clone version
 ```
 
 ### Method 2: Helm Chart

deploy/README.md

@@ -90,7 +90,6 @@ SLO_TPOT=${SLO_TPOT:-10}  # Target time-per-output-token SLO (in ms)
 SLO_TTFT=${SLO_TTFT:-1000}  # Target time-to-first-token SLO (in ms)
 
 # Prometheus Configuration
-PROM_CA_CERT_PATH=${PROM_CA_CERT_PATH:-"/tmp/prometheus-ca.crt"}
 PROMETHEUS_SECRET_NAME=${PROMETHEUS_SECRET_NAME:-"prometheus-web-tls"}
 
 # Flags for deployment steps

deploy/install.sh

@@ -67,6 +67,8 @@ PROMETHEUS_PORT="9090"
 PROMETHEUS_URL="$PROMETHEUS_BASE_URL:$PROMETHEUS_PORT"
 PROMETHEUS_SECRET_NAME="prometheus-web-tls"
 # Prometheus TLS - mount existing secret directly (no extraction needed)
+PROM_TLS_SECRET_NAME="prometheus-web-tls"
+PROM_TLS_KEY="tls.crt"
 PROM_TLS_CA_CERT_PATH="/etc/ssl/certs/prometheus-ca.crt" # need a different path than OCP default value
 
 # KIND cluster configuration

deploy/kind-emulator/install.sh

@@ -19,6 +19,8 @@ PROMETHEUS_PORT="9090"
 PROMETHEUS_URL=${PROMETHEUS_URL:-"$PROMETHEUS_BASE_URL:$PROMETHEUS_PORT"}
 PROMETHEUS_SECRET_NAME=${PROMETHEUS_SECRET_NAME:-"prometheus-web-tls"}
 # Prometheus TLS - mount existing secret directly (no extraction needed)
+PROM_TLS_SECRET_NAME="prometheus-web-tls"
+PROM_TLS_KEY="tls.crt"
 PROM_TLS_CA_CERT_PATH="/etc/ssl/certs/prometheus-ca.crt" # need a different path than OCP default value
 DEPLOY_PROMETHEUS=${DEPLOY_PROMETHEUS:-"true"}
 SKIP_TLS_VERIFY=${SKIP_TLS_VERIFY:-"true"}

deploy/kubernetes/install.sh

@@ -94,8 +94,6 @@ undeploy_wva_controller() {
     helm uninstall "$WVA_RELEASE_NAME" -n "$WVA_NS" 2>/dev/null || \
         log_warning "Workload-Variant-Autoscaler not found or already uninstalled"
 
-    rm -f "$PROM_CA_CERT_PATH"
-
     log_success "WVA uninstalled"
 }
 

deploy/lib/cleanup.sh

@@ -71,7 +71,6 @@ deploy_wva_controller() {
     helm upgrade -i "$WVA_RELEASE_NAME" ${WVA_PROJECT}/charts/workload-variant-autoscaler \
         -n "$WVA_NS" \
         --values $VALUES_FILE \
-        --set-file wva.prometheus.caCert="$PROM_CA_CERT_PATH" \
         --set wva.image.repository="$WVA_IMAGE_REPO" \
         --set wva.image.tag="$WVA_IMAGE_TAG" \
         --set wva.imagePullPolicy="$WVA_IMAGE_PULL_POLICY" \
@@ -89,6 +88,9 @@ deploy_wva_controller() {
         --set llmd.namespace="$LLMD_NS" \
         --set wva.prometheus.baseURL="$PROMETHEUS_URL" \
         --set wva.prometheus.monitoringNamespace="$MONITORING_NAMESPACE" \
+        --set wva.prometheus.tls.caCertPath="$PROM_TLS_CA_CERT_PATH" \
+        ${PROM_TLS_SECRET_NAME:+--set wva.prometheus.tls.existingSecret=$PROM_TLS_SECRET_NAME} \
+        ${PROM_TLS_KEY:+--set wva.prometheus.tls.key=$PROM_TLS_KEY} \
         --set vllmService.enabled="$VLLM_SVC_ENABLED" \
         --set vllmService.port="$VLLM_SVC_PORT" \
         --set vllmService.targetPort="$VLLM_SVC_PORT" \
@@ -172,9 +174,12 @@ delete_namespaces_kube_like() {
 deploy_wva_prerequisites_kube_like() {
     log_info "Deploying Workload-Variant-Autoscaler prerequisites for Kubernetes..."
 
-    # Extract Prometheus CA certificate
-    log_info "Extracting Prometheus TLS certificate"
-    kubectl get secret "$PROMETHEUS_SECRET_NAME" -n "$MONITORING_NAMESPACE" -o jsonpath='{.data.tls\.crt}' | base64 -d > "$PROM_CA_CERT_PATH"
+    # Copy prometheus TLS Secret to WVA namespace for direct mounting (no extraction needed)
+    log_info "Copying $PROMETHEUS_SECRET_NAME Secret to WVA namespace..."
+    kubectl get secret "$PROMETHEUS_SECRET_NAME" -n "$MONITORING_NAMESPACE" -o yaml | \
+        sed "s/namespace: $MONITORING_NAMESPACE/namespace: $WVA_NS/" | \
+        kubectl apply -f - &> /dev/null
+    log_success "Secret copied to $WVA_NS namespace"
 
     local use_values_dev=false
     if [ "$SKIP_TLS_VERIFY" = "true" ]; then
@@ -202,63 +207,3 @@ deploy_wva_prerequisites_kube_like() {
 
     log_success "WVA prerequisites complete"
 }
-
-# OpenShift-specific CA extraction used by deploy/openshift/install.sh.
-extract_openshift_prometheus_ca() {
-    # Extract OpenShift Service CA certificate for Thanos verification
-    # Note: For OpenShift service certificates, we need the Service CA that signed the server cert,
-    # not the server certificate itself. The server cert is in thanos-querier-tls, but we need the CA.
-    log_info "Extracting OpenShift Service CA certificate for Thanos verification"
-
-    # Method 1: Extract Service CA from openshift-service-ca.crt ConfigMap (preferred)
-    # This is the actual CA certificate that signs OpenShift service certificates
-    if kubectl get configmap openshift-service-ca.crt -n "$PROMETHEUS_SECRET_NS" &> /dev/null; then
-        log_info "Extracting Service CA from openshift-service-ca.crt ConfigMap"
-        kubectl get configmap openshift-service-ca.crt -n "$PROMETHEUS_SECRET_NS" -o jsonpath='{.data.service-ca\.crt}' > "$PROM_CA_CERT_PATH" 2>/dev/null || true
-        if [ -s "$PROM_CA_CERT_PATH" ]; then
-            log_success "Extracted Service CA from openshift-service-ca.crt ConfigMap"
-        fi
-    fi
-
-    # Method 2: Extract Service CA from openshift-config namespace
-    if [ ! -s "$PROM_CA_CERT_PATH" ]; then
-        log_info "Trying to extract Service CA from openshift-config namespace"
-        kubectl get configmap openshift-service-ca -n openshift-config -o jsonpath='{.data.service-ca\.crt}' > "$PROM_CA_CERT_PATH" 2>/dev/null || true
-        if [ -s "$PROM_CA_CERT_PATH" ]; then
-            log_success "Extracted Service CA from openshift-config namespace"
-        fi
-    fi
-
-    # Method 3: Fallback to thanos-querier-tls secret (as per Helm README)
-    # Note: This extracts the server certificate, which may work if the cert chain includes the CA
-    # but it's not ideal - we should use the Service CA instead.
-    if [ ! -s "$PROM_CA_CERT_PATH" ]; then
-        log_warning "Service CA not found, falling back to server certificate from thanos-querier-tls"
-        log_warning "This may cause TLS verification issues - Service CA is preferred"
-        if kubectl get secret "$PROMETHEUS_SECRET_NAME" -n "$PROMETHEUS_SECRET_NS" &> /dev/null; then
-            log_info "Extracting certificate from thanos-querier-tls secret (as per Helm README)"
-            kubectl get secret "$PROMETHEUS_SECRET_NAME" -n "$PROMETHEUS_SECRET_NS" -o jsonpath='{.data.tls\.crt}' | base64 -d > "$PROM_CA_CERT_PATH"
-            if [ -s "$PROM_CA_CERT_PATH" ]; then
-                log_success "Extracted certificate from thanos-querier-tls secret"
-            fi
-        fi
-    fi
-
-    # Verify we have a valid certificate
-    if [ ! -s "$PROM_CA_CERT_PATH" ]; then
-        log_error "Failed to extract OpenShift Service CA certificate"
-        log_error "Tried: openshift-service-ca.crt ConfigMap, openshift-config ConfigMap, and thanos-querier-tls secret"
-        exit 1
-    fi
-
-    # Verify the certificate is valid PEM format
-    if ! openssl x509 -in "$PROM_CA_CERT_PATH" -text -noout &> /dev/null; then
-        log_warning "Certificate file may not be in valid PEM format, but continuing..."
-        log_warning "If TLS errors occur, verify the certificate format is correct"
-    else
-        # Log certificate details for debugging
-        local cert_subject
-        cert_subject=$(openssl x509 -in "$PROM_CA_CERT_PATH" -noout -subject 2>/dev/null | sed 's/subject=//' || echo "unknown")
-        log_info "Certificate subject: $cert_subject"
-    fi
-}

deploy/lib/infra_wva.sh

@@ -2,7 +2,7 @@
 #
 # Scaler backend deployment/runtime helpers for deploy/install.sh.
 # Requires vars: MONITORING_NAMESPACE, KEDA_NAMESPACE, KEDA_CHART_VERSION,
-# PROM_CA_CERT_PATH, PROMETHEUS_BASE_URL, PROMETHEUS_PORT, E2E_TESTS_ENABLED.
+# PROMETHEUS_BASE_URL, PROMETHEUS_PORT, E2E_TESTS_ENABLED.
 # Requires funcs: log_info/log_warning/log_success/log_error,
 # should_skip_helm_repo_update(), retry_until_success().
 #
@@ -160,22 +160,6 @@ deploy_prometheus_adapter() {
         helm repo update
     fi
 
-    # Create prometheus-ca ConfigMap from the CA certificate
-    log_info "Creating prometheus-ca ConfigMap for Prometheus Adapter"
-    if [ ! -f "$PROM_CA_CERT_PATH" ] || [ ! -s "$PROM_CA_CERT_PATH" ]; then
-        log_error "CA certificate file not found or empty: $PROM_CA_CERT_PATH"
-        log_error "Please ensure deploy_wva_prerequisites() was called first"
-        exit 1
-    fi
-
-    # Create or update the prometheus-ca ConfigMap
-    kubectl create configmap "$PROMETHEUS_CA_CONFIGMAP_NAME" \
-        --from-file="ca.crt=$PROM_CA_CERT_PATH" \
-        -n "$MONITORING_NAMESPACE" \
-        --dry-run=client -o yaml | kubectl apply -f -
-
-    log_success "prometheus-ca ConfigMap created/updated"
-
     # Use existing values files from config/samples
     local values_file=""
     if [ "$ENVIRONMENT" = "openshift" ]; then

deploy/lib/scaler_runtime.sh

@@ -127,8 +127,10 @@ deploy_prometheus_stack() {
 
 #### REQUIRED FUNCTION used by deploy/install.sh ####
 deploy_wva_prerequisites() {
-    log_info "Deploying Workload-Variant-Autoscaler..."
-    extract_openshift_prometheus_ca
+    log_info "Deploying Workload-Variant-Autoscaler prerequisites..."
+
+    log_info "OpenShift automatically provides service CA certificate in projected volume"
+    log_info "Certificate path: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
 
     log_info "Installing LeaderWorkerSet version $LWS_CHART_VERSION into lws-system namespace"
     helm upgrade -i lws oci://registry.k8s.io/lws/charts/lws \