sync: main to incubation

Containerfile

@@ -4,35 +4,15 @@ WORKDIR /opt/app-root
 # Switch to root only for installing packages
 USER root
 
-# For Rust-based Python packages
-RUN dnf install -y --setopt install_weak_deps=0 --nodocs \
-    cargo \
-    rust \
-    && dnf clean all
-
 COPY . .
 
-# Build argument to specify architecture
-ARG TARGETARCH=x86_64
-
-# # Install dependencies
-# RUN if [ "$TARGETARCH" = "amd64" ] || [ "$TARGETARCH" = "x86_64" ]; then \
-#         echo "Installing x86_64 dependencies ..."; \
-#         pip install --no-cache-dir -r requirements-x86_64.txt; \
-#     elif [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" = "aarch64" ]; then \
-#         echo "Installing ARM64 dependencies ..."; \
-#         pip install --no-cache-dir -r requirements-aarch64.txt; \
-#     else \
-#         echo "ERROR: Unsupported architecture: $TARGETARCH"; \
-#         exit 1; \
-#     fi
-
 # Install cpu torch to reduce image size
 RUN pip install torch --index-url https://download.pytorch.org/whl/cpu
 
 # Install the package itself
 # Use [inline] to get garak dependency
 RUN pip install --no-cache-dir ".[inline]"
+# Install midstream garak and sdg-hub dependencies (tmp fix till we get release versions)
 RUN pip install --no-cache-dir -r requirements-inline-extra.txt
 # Set XDG environment variables to use /tmp (always writable) for garak to write to
 ENV XDG_CACHE_HOME=/tmp/.cache

demos/1-openshift-ai/README.md

@@ -48,6 +48,16 @@ export KFP_ENDPOINT="https://$(oc get routes ds-pipeline-dspa -o jsonpath='{.spe
 echo "$KFP_ENDPOINT"
 ```
 
+### NetworkPolicy for KFP-to-LlamaStack connectivity
+
+The Llama Stack operator creates a NetworkPolicy that restricts ingress to the Llama Stack pod. KFP pipeline pods are not in its allow-list by default, causing connection timeouts. Apply the provided NetworkPolicy to allow same-namespace pods to reach the Llama Stack service:
+
+```bash
+oc apply -f lsd_remote/kfp-setup/kfp-networkpolicy.yaml
+```
+
+If you skip this step, KFP pipeline pods might time out when trying to reach the Llama Stack service.
+
 ## 3) Prepare Manifests for Your Namespace/Environment
 
 Update all hardcoded placeholders (especially namespace `tai-garak-lls`) in:
@@ -83,9 +93,10 @@ Set these carefully:
 
 ### Required values in `lsd-role.yaml`
 
-- set namespace
-- verify role name (`ds-pipeline-dspa`) matches your DSP install
+- set namespace in all three resources (Role, and both RoleBindings)
+- verify role name (`ds-pipeline-dspa`) matches your DSP install in the pipeline-management RoleBinding
 - verify service account name (`<lsd-name>-sa`, default in this repo is `llamastack-garak-distribution-sa`)
+- the `lsd-garak-dspa-api-access` Role grants the service account permission to access the DSPA API proxy (required for KFP client connectivity through the external route)
 
 
 ## 4) Deploy PostgreSQL
@@ -182,5 +193,8 @@ Open `demos/guide.ipynb` and run it end-to-end.
 
 ### KFP jobs cannot call Llama Stack URL
 
+- check for NetworkPolicies blocking traffic: `oc get networkpolicy`
+- if pipeline pods time out reaching Llama Stack but port-forward works, apply the NetworkPolicy: `oc apply -f lsd_remote/kfp-setup/kfp-networkpolicy.yaml` (see step 2 above)
+- verify the podSelector label in `kfp-networkpolicy.yaml` matches the Llama Stack pod: `oc get pods --show-labels | grep llamastack`
 - verify `KUBEFLOW_LLAMA_STACK_URL` resolves from inside cluster
 - verify service name/port in `lsd-garak.yaml` matches URL configured in `lsd-config.yaml`

lsd_remote/kfp-setup/kfp-networkpolicy.yaml

@@ -0,0 +1,27 @@
+## NetworkPolicy: allow KFP pipeline pods to reach the Llama Stack service.
+##
+## The Llama Stack operator creates its own NetworkPolicy
+## (e.g. llamastack-garak-distribution-network-policy) that restricts
+## ingress. Since K8s NetworkPolicies are additive, this extra policy
+## opens port 8321 for same-namespace pods (KFP workflow pods, etc.).
+##
+## Verify the Llama Stack pod labels before applying:
+##   oc get pods -n <namespace> --show-labels | grep llamastack
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-kfp-to-llamastack
+  namespace: tai-garak-lls # change this to your namespace
+spec:
+  podSelector:
+    matchLabels:
+      app: llama-stack # label set by the Llama Stack operator
+  ingress:
+  - from:
+    - podSelector: {}
+    ports:
+    - protocol: TCP
+      port: 8321
+  policyTypes:
+  - Ingress

lsd_remote/llama_stack_distro-setup/lsd-role.yaml

@@ -1,4 +1,28 @@
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: lsd-garak-dspa-api-access
+  namespace: tai-garak-lls # change this to the namespace you want to deploy to
+rules:
+- apiGroups: ["datasciencepipelinesapplications.opendatahub.io"]
+  resources: ["datasciencepipelinesapplications/api"]
+  verbs: ["get", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: lsd-garak-dspa-api-access
+  namespace: tai-garak-lls # change this to the namespace you want to deploy to
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: lsd-garak-dspa-api-access
+subjects:
+- kind: ServiceAccount
+  name: llamastack-garak-distribution-sa # {lsd-name}-sa
+  namespace: tai-garak-lls # change this to the namespace you want to deploy to
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: lsd-garak-pipeline-management