fix: address PR review feedback for Route reconciler and RBAC

- Fix annotation reconciliation loop: compare only managed annotations
  in semanticRouteEquals and merge (not replace) annotations on update,
  preventing infinite loop with OpenShift router controller
- Remove unconstrained clusterrolebindings RBAC from base role by fixing
  Makefile controller-gen path to not recurse into distro/ subpackage
- Clear isvc.Status.URL and Address on force-stop to avoid stale data
- Add status update on reconcilePlatformPermissions failure for consistency
- Add warning log when setRouteTargetPort falls back to first port

Author: VedantMahabaleshwarkar

Makefile

@@ -130,7 +130,7 @@ verify-helm-helpers-consistency:
 # Generate manifests e.g. CRD, RBAC etc.
 manifests: controller-gen kustomize yq
 	@$(CONTROLLER_GEN) $(CRD_OPTIONS) paths=./pkg/apis/serving/... output:crd:dir=config/crd/full	
-	@$(CONTROLLER_GEN) rbac:roleName=kserve-manager-role paths={./pkg/controller/v1alpha1/inferencegraph,./pkg/controller/v1alpha1/trainedmodel,./pkg/controller/v1beta1/...} output:rbac:artifacts:config=config/rbac
+	@$(CONTROLLER_GEN) rbac:roleName=kserve-manager-role paths={./pkg/controller/v1alpha1/inferencegraph,./pkg/controller/v1alpha1/trainedmodel,./pkg/controller/v1beta1/inferenceservice} output:rbac:artifacts:config=config/rbac
 	@$(CONTROLLER_GEN) rbac:roleName=kserve-llmisvc-manager-role paths=./pkg/controller/v1alpha2/llmisvc output:rbac:artifacts:config=config/rbac/llmisvc
 	@$(CONTROLLER_GEN) rbac:roleName=kserve-localmodel-manager-role paths=./pkg/controller/v1alpha1/localmodel output:rbac:artifacts:config=config/rbac/localmodel
 	@$(CONTROLLER_GEN) rbac:roleName=kserve-localmodelnode-agent-role paths=./pkg/controller/v1alpha1/localmodelnode output:rbac:artifacts:config=config/rbac/localmodelnode

charts/kserve-resources/files/kserve/resources.yaml

@@ -173,18 +173,6 @@ rules:
   - get
   - patch
   - update
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterrolebindings
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resourceNames:

config/rbac/role.yaml

@@ -392,6 +392,9 @@ func (r *InferenceServiceReconciler) Reconcile(ctx context.Context, req ctrl.Req
 
 	if deploymentMode == constants.Standard || deploymentMode == constants.LegacyRawDeployment {
 		if err := reconcilePlatformPermissions(ctx, r.Client, isvc); err != nil {
+			if updateErr := r.updateStatus(ctx, isvc, deploymentMode); updateErr != nil {
+				r.Log.Error(updateErr, "Error updating status after platform permissions reconcile failure")
+			}
 			return reconcile.Result{}, errors.Wrapf(err, "fails to reconcile platform permissions")
 		}
 	}

hack/setup/quick-install/kserve-knative-mode-full-install-with-manifests.sh

@@ -93,6 +93,8 @@ func (r *RawOCPRouteReconciler) Reconcile(ctx context.Context, isvc *v1beta1.Inf
 				}
 			}
 		}
+		isvc.Status.URL = nil
+		isvc.Status.Address = nil
 		isvc.Status.SetCondition(v1beta1.IngressReady, &apis.Condition{
 			Type:   v1beta1.IngressReady,
 			Status: corev1.ConditionFalse,
@@ -137,7 +139,12 @@ func (r *RawOCPRouteReconciler) reconcileExposed(
 	if !semanticRouteEquals(desiredRoute, existingRoute) {
 		existingRoute.Spec = desiredRoute.Spec
 		existingRoute.Labels = desiredRoute.Labels
-		existingRoute.Annotations = desiredRoute.Annotations
+		if existingRoute.Annotations == nil {
+			existingRoute.Annotations = map[string]string{}
+		}
+		for k, v := range desiredRoute.Annotations {
+			existingRoute.Annotations[k] = v
+		}
 		log.Info("Updating Route", "name", isvc.Name, "namespace", isvc.Namespace)
 		if err := r.client.Update(ctx, existingRoute); err != nil {
 			return ctrl.Result{}, fmt.Errorf("failed to update Route: %w", err)
@@ -325,6 +332,8 @@ func setRouteTargetPort(authEnabled bool, svc *corev1.Service) (intstr.IntOrStri
 		}
 	}
 	if len(svc.Spec.Ports) > 0 {
+		log.Info("Desired port not found, falling back to first port",
+			"service", svc.Name, "desiredPort", desiredName, "fallbackPort", svc.Spec.Ports[0].Name)
 		if svc.Spec.Ports[0].Name != "" {
 			return intstr.FromString(svc.Spec.Ports[0].Name), nil
 		}
@@ -360,7 +369,16 @@ func setRouteTimeout(route *routev1.Route, isvc *v1beta1.InferenceService) {
 }
 
 func semanticRouteEquals(desired, existing *routev1.Route) bool {
-	return equality.Semantic.DeepEqual(desired.Spec, existing.Spec) &&
-		equality.Semantic.DeepEqual(desired.Labels, existing.Labels) &&
-		equality.Semantic.DeepEqual(desired.Annotations, existing.Annotations)
+	if !equality.Semantic.DeepEqual(desired.Spec, existing.Spec) {
+		return false
+	}
+	if !equality.Semantic.DeepEqual(desired.Labels, existing.Labels) {
+		return false
+	}
+	for key, val := range desired.Annotations {
+		if existing.Annotations[key] != val {
+			return false
+		}
+	}
+	return true
 }