feat: dedicated MaaS gateway

This PR updates manifests (and sample models) to use dedicate MaaS
gateway instead of the default one used by KServe/LLMInferenceService.

The segregated gateway approach ensures flexibility and isolation:
- Existing ODH/KServe models remain unaffected
- Models explicitly opt-in to MaaS features when ready
- Traffic, resources, and policies are isolated for safer operations

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>

Author: bartoszmajsak

deployment/README.md

@@ -134,7 +134,7 @@ kubectl -n kuadrant-system patch deployment kuadrant-operator-controller-manager
 Wait for Gateway to be ready:
 
 ```bash
-kubectl wait --for=condition=Programmed gateway openshift-ai-inference -n openshift-ingress --timeout=300s
+kubectl wait --for=condition=Programmed gateway maas-default-gateway -n openshift-ingress --timeout=300s
 ```
 
 Then restart Kuadrant operators:
@@ -159,17 +159,6 @@ kubectl patch csv kuadrant-operator.v0.0.0 -n kuadrant-system --type='json' -p='
 ]'
 ```
 
-#### Update KServe Ingress Domain
-```bash
-kubectl -n kserve patch configmap inferenceservice-config \
-  --type='json' \
-  -p="[{
-    \"op\": \"replace\",
-    \"path\": \"/data/ingress\",
-    \"value\": \"{\\\"enableGatewayApi\\\": true, \\\"kserveIngressGateway\\\": \\\"openshift-ingress/openshift-ai-inference\\\", \\\"ingressGateway\\\": \\\"istio-system/istio-ingressgateway\\\", \\\"ingressDomain\\\": \\\"$(kubectl get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')\\\"}\"
-  }]"
-```
-
 #### Update Limitador Image for Metrics (Optional but Recommended)
 
 Update Limitador to expose metrics properly:
@@ -206,12 +195,12 @@ kubectl patch authpolicy maas-api-auth-policy -n maas-api \
 
 For OpenShift:
 ```bash
-HOST="$(kubectl get gateway openshift-ai-inference -n openshift-ingress -o jsonpath='{.status.addresses[0].value}')"
+HOST="$(kubectl get gateway maas-default-gateway -n openshift-ingress -o jsonpath='{.status.addresses[0].value}')"
 ```
 
 For Kubernetes with LoadBalancer:
 ```bash
-HOST="$(kubectl get gateway openshift-ai-inference -n openshift-ingress -o jsonpath='{.status.addresses[0].value}')"
+HOST="$(kubectl get gateway maas-default-gateway -n openshift-ingress -o jsonpath='{.status.addresses[0].value}')"
 ```
 
 ### 2. Get Authentication Token
@@ -276,7 +265,7 @@ kubectl get pods -n llm
 Check Gateway status:
 
 ```bash
-kubectl get gateway -n openshift-ingress openshift-ai-inference
+kubectl get gateway -n openshift-ingress maas-default-gateway
 ```
 
 Check that policies are enforced:

deployment/base/maas-api/networking/httproute.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: maas-api
 spec:
   parentRefs:
-    - name: openshift-ai-inference
+    - name: maas-default-gateway
       namespace: openshift-ingress
   rules:
     - matches:

deployment/base/maas-api/policies/auth-policy.yaml

@@ -16,4 +16,4 @@ spec:
         kubernetesTokenReview:
           audiences:
             - https://kubernetes.default.svc
-            - openshift-ai-inference-sa
+            - maas-default-gateway-sa

deployment/base/networking/gateway-api.yaml

@@ -6,6 +6,7 @@ metadata:
 spec:
   controllerName: "openshift.io/gateway-controller/v1"
 ---
+# Default LLMInferenceService Gateway
 apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
@@ -20,3 +21,23 @@ spec:
      allowedRoutes:
        namespaces:
          from: All
+---
+# Default MaaS Gateway for LLMInferenceServices - opt-in to MaaS features
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: maas-default-gateway
+  namespace: openshift-ingress
+  labels:
+    app.kubernetes.io/name: maas
+    app.kubernetes.io/instance: maas-default-gateway
+    app.kubernetes.io/component: gateway
+spec:
+  gatewayClassName: openshift-default
+  listeners:
+   - name: http
+     port: 80
+     protocol: HTTP
+     allowedRoutes:
+       namespaces:
+         from: All

deployment/base/policies/gateway-auth-policy.yaml

@@ -8,7 +8,7 @@ spec:
   targetRef:
     group: gateway.networking.k8s.io
     kind: Gateway
-    name: openshift-ai-inference
+    name: maas-default-gateway
   rules:
     metadata:
       # Enriching identity metadata with a proper subscription tier based on user groups
@@ -29,7 +29,7 @@ spec:
       service-accounts:
         kubernetesTokenReview:
           audiences:
-            - openshift-ai-inference-sa
+            - maas-default-gateway-sa
         defaults:
           # token normalization - https://docs.kuadrant.io/1.2.x/authorino/docs/user-guides/token-normalization/
           # full username: system:serviceaccount:<ns>:<name>

deployment/base/policies/rate-limit-policy.yaml

@@ -7,7 +7,7 @@ spec:
   targetRef:
     group: gateway.networking.k8s.io
     kind: Gateway
-    name: openshift-ai-inference
+    name: maas-default-gateway
   limits:
     free:
       rates:

deployment/base/policies/token-limit-policy.yaml

@@ -11,7 +11,7 @@ spec:
   targetRef:
     group: gateway.networking.k8s.io
     kind: Gateway
-    name: openshift-ai-inference
+    name: maas-default-gateway
   limits:
     free-user-tokens:
       rates:

deployment/overlays/openshift/gateway-route.yaml

@@ -13,8 +13,8 @@ metadata:
   name: gateway-route
   namespace: openshift-ingress
   labels:
-    app: openshift-ai-inference
-    gateway: openshift-ai-inference
+    app: maas
+    gateway: maas-default-gateway
 spec:
   host: gateway.apps.test-maas-v1.eh5f.s1.devshift.org
   port:
@@ -24,6 +24,6 @@ spec:
     termination: edge
   to:
     kind: Service
-    name: openshift-ai-inference-openshift-default
+    name: maas-default-gateway-openshift-default
     weight: 100
   wildcardPolicy: None 

deployment/scripts/deploy-openshift.sh

@@ -209,13 +209,6 @@ else
   echo "   ✅ Kuadrant operator already configured"
 fi
 
-# Update KServe Ingress Domain
-echo "   Updating KServe configuration..."
-kubectl -n kserve patch configmap inferenceservice-config \
-  --type='json' \
-  -p="[{\"op\": \"replace\", \"path\": \"/data/ingress\", \"value\": \"{\\\"enableGatewayApi\\\": true, \\\"kserveIngressGateway\\\": \\\"openshift-ingress/openshift-ai-inference\\\", \\\"ingressGateway\\\": \\\"istio-system/istio-ingressgateway\\\", \\\"ingressDomain\\\": \\\"$CLUSTER_DOMAIN\\\"}\" }]" 2>/dev/null || \
-  echo "   KServe already configured"
-
 echo ""
 echo "8️⃣ Waiting for Gateway to be ready..."
 echo "   Note: This may take a few minutes if Service Mesh is being automatically installed..."
@@ -234,7 +227,7 @@ else
 fi
 
 echo "   Waiting for Gateway to become ready..."
-kubectl wait --for=condition=Programmed gateway openshift-ai-inference -n openshift-ingress --timeout=300s || \
+kubectl wait --for=condition=Programmed gateway maas-default-gateway -n openshift-ingress --timeout=300s || \
   echo "   ⚠️  Gateway is taking longer than expected, continuing..."
 
 echo ""
@@ -295,8 +288,8 @@ kubectl get pods -n opendatahub --no-headers | grep Running | wc -l | xargs echo
 
 echo ""
 echo "Gateway Status:"
-kubectl get gateway -n openshift-ingress openshift-ai-inference -o jsonpath='{.status.conditions[?(@.type=="Accepted")].status}' | xargs echo "  Accepted:"
-kubectl get gateway -n openshift-ingress openshift-ai-inference -o jsonpath='{.status.conditions[?(@.type=="Programmed")].status}' | xargs echo "  Programmed:"
+kubectl get gateway -n openshift-ingress maas-default-gateway -o jsonpath='{.status.conditions[?(@.type=="Accepted")].status}' | xargs echo "  Accepted:"
+kubectl get gateway -n openshift-ingress maas-default-gateway -o jsonpath='{.status.conditions[?(@.type=="Programmed")].status}' | xargs echo "  Programmed:"
 
 echo ""
 echo "Policy Status:"