Merge branch 'main' into yt-add-go-coverage-tests

Author: Yuriy Teodorovych

.github/hack/install-odh.sh

@@ -5,9 +5,12 @@
 # Prerequisites: cert-manager and LWS operators (run install-cert-manager-and-lws.sh first).
 #
 # Environment variables:
-#   OPERATOR_CATALOG - Custom catalog image (optional). When unset, uses community-operators (ODH 3.3).
+#   OPERATOR_CATALOG - Custom catalog image (optional). When unset, uses community-operators.
 #                      Set to e.g. quay.io/opendatahub/opendatahub-operator-catalog:latest for custom builds.
-#   OPERATOR_CHANNEL - Subscription channel (default: fast-3 for community, fast for custom catalog)
+#   OPERATOR_CHANNEL   - Subscription channel (default: fast-3)
+#   OPERATOR_STARTING_CSV - Pin Subscription startingCSV (default: opendatahub-operator.v3.4.0-ea.1). Set to "-" to omit.
+#   OPERATOR_INSTALL_PLAN_APPROVAL - Manual (default) or Automatic; use "-" to omit.
+#     Manual: blocks auto-upgrades; this script auto-approves only the first InstallPlan so install does not stall.
 #   OPERATOR_IMAGE   - Custom operator image to patch into CSV (optional)
 #
 # Usage: ./install-odh.sh
@@ -21,6 +24,8 @@ DATA_DIR="${REPO_ROOT}/scripts/data"
 NAMESPACE="${OPERATOR_NAMESPACE:-opendatahub}"
 OPERATOR_CATALOG="${OPERATOR_CATALOG:-}"
 OPERATOR_CHANNEL="${OPERATOR_CHANNEL:-}"
+OPERATOR_STARTING_CSV="${OPERATOR_STARTING_CSV:-}"
+OPERATOR_INSTALL_PLAN_APPROVAL="${OPERATOR_INSTALL_PLAN_APPROVAL:-}"
 OPERATOR_IMAGE="${OPERATOR_IMAGE:-}"
 
 # Source deployment helpers
@@ -59,28 +64,38 @@ patch_operator_csv_if_needed() {
 echo "=== Installing OpenDataHub operator ==="
 echo ""
 
-# 1. Catalog setup: use community-operators (ODH 3.3) by default, or custom catalog when OPERATOR_CATALOG is set
+# 1. Catalog setup: community-operators by default, or custom catalog when OPERATOR_CATALOG is set
 echo "1. Setting up ODH catalog..."
 if [[ -n "$OPERATOR_CATALOG" ]]; then
   echo "   Using custom catalog: $OPERATOR_CATALOG"
   create_custom_catalogsource "odh-custom-catalog" "openshift-marketplace" "$OPERATOR_CATALOG"
   catalog_source="odh-custom-catalog"
-  channel="${OPERATOR_CHANNEL:-fast}"
+  channel="${OPERATOR_CHANNEL:-fast-3}"
 else
-  echo "   Using community-operators (ODH 3.3)"
+  echo "   Using community-operators"
   catalog_source="community-operators"
   channel="${OPERATOR_CHANNEL:-fast-3}"
 fi
 
+# Pin to ODH 3.4 EA1 unless overridden (omit with OPERATOR_STARTING_CSV=- to follow channel head)
+starting_csv="${OPERATOR_STARTING_CSV:-opendatahub-operator.v3.4.0-ea.1}"
+[[ "$starting_csv" == "-" ]] && starting_csv=""
+
+# Manual = no auto-upgrades; install_olm_operator still approves the first InstallPlan programmatically
+plan_approval="${OPERATOR_INSTALL_PLAN_APPROVAL:-Manual}"
+[[ "$plan_approval" == "-" ]] && plan_approval=""
+
 # 2. Install ODH operator via OLM
 echo "2. Installing ODH operator..."
 install_olm_operator \
   "opendatahub-operator" \
   "$NAMESPACE" \
   "$catalog_source" \
   "$channel" \
-  "" \
-  "AllNamespaces"
+  "$starting_csv" \
+  "AllNamespaces" \
+  "openshift-marketplace" \
+  "$plan_approval"
 
 # 3. Patch CSV with custom image if specified
 if [[ -n "$OPERATOR_IMAGE" ]]; then

deployment/base/maas-controller/crd/bases/maas.opendatahub.io_maasmodelrefs.yaml

@@ -55,6 +55,25 @@ spec:
           spec:
             description: MaaSModelSpec defines the desired state of MaaSModelRef
             properties:
+              credentialRef:
+                description: |-
+                  CredentialRef references a Kubernetes Secret containing the provider API key.
+                  The Secret must contain a data key "api-key" with the credential value.
+                  Only used when modelRef.kind=ExternalModel.
+                properties:
+                  name:
+                    description: Name is the name of the Secret
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the Secret. Defaults
+                      to the MaaSModelRef namespace if omitted.
+                    maxLength: 253
+                    type: string
+                required:
+                - name
+                type: object
               endpointOverride:
                 description: |-
                   EndpointOverride, when set, overrides the endpoint URL that the controller
@@ -64,6 +83,16 @@ spec:
               modelRef:
                 description: ModelRef references the actual model endpoint
                 properties:
+                  endpoint:
+                    description: |-
+                      Endpoint is the FQDN of the external provider (no scheme or path).
+                      e.g. "api.openai.com". Only used when kind=ExternalModel.
+                      This field is metadata for downstream consumers (e.g. BBR provider-resolver plugin)
+                      and is not used by the controller for endpoint derivation. Use spec.endpointOverride
+                      to override the controller-derived endpoint.
+                    maxLength: 253
+                    pattern: ^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$
+                    type: string
                   kind:
                     description: Kind determines which fields are available
                     enum:
@@ -73,10 +102,20 @@ spec:
                   name:
                     description: Name is the name of the model resource
                     type: string
+                  provider:
+                    description: |-
+                      Provider identifies the API format and auth type for external models.
+                      e.g. "openai", "anthropic". Only used when kind=ExternalModel.
+                    maxLength: 63
+                    type: string
                 required:
                 - kind
                 - name
                 type: object
+                x-kubernetes-validations:
+                - message: provider is required when kind is ExternalModel
+                  rule: self.kind != 'ExternalModel' || has(self.provider) && self.provider
+                    != ''
             required:
             - modelRef
             type: object

maas-controller/api/maas/v1alpha1/maasmodelref_types.go

@@ -29,16 +29,50 @@ type MaaSModelSpec struct {
 	// or Gateway/HTTPRoute).
 	// +optional
 	EndpointOverride string `json:"endpointOverride,omitempty"`
+	// CredentialRef references a Kubernetes Secret containing the provider API key.
+	// The Secret must contain a data key "api-key" with the credential value.
+	// Only used when modelRef.kind=ExternalModel.
+	// +optional
+	CredentialRef *CredentialReference `json:"credentialRef,omitempty"`
+}
+
+// CredentialReference references a Kubernetes Secret with provider API credentials.
+type CredentialReference struct {
+	// Name is the name of the Secret
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=253
+	Name string `json:"name"`
+	// Namespace is the namespace of the Secret. Defaults to the MaaSModelRef namespace if omitted.
+	// +kubebuilder:validation:MaxLength=253
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
 }
 
 // ModelReference references a model endpoint in the same namespace
+// +kubebuilder:validation:XValidation:rule="self.kind != 'ExternalModel' || has(self.provider) && self.provider != ''",message="provider is required when kind is ExternalModel"
 type ModelReference struct {
 	// Kind determines which fields are available
 	// +kubebuilder:validation:Enum=LLMInferenceService;ExternalModel
 	Kind string `json:"kind"`
 
 	// Name is the name of the model resource
 	Name string `json:"name"`
+
+	// Provider identifies the API format and auth type for external models.
+	// e.g. "openai", "anthropic". Only used when kind=ExternalModel.
+	// +kubebuilder:validation:MaxLength=63
+	// +optional
+	Provider string `json:"provider,omitempty"`
+
+	// Endpoint is the FQDN of the external provider (no scheme or path).
+	// e.g. "api.openai.com". Only used when kind=ExternalModel.
+	// This field is metadata for downstream consumers (e.g. BBR provider-resolver plugin)
+	// and is not used by the controller for endpoint derivation. Use spec.endpointOverride
+	// to override the controller-derived endpoint.
+	// +kubebuilder:validation:MaxLength=253
+	// +kubebuilder:validation:Pattern=`^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$`
+	// +optional
+	Endpoint string `json:"endpoint,omitempty"`
 }
 
 // MaaSModelStatus defines the observed state of MaaSModelRef

maas-controller/api/maas/v1alpha1/zz_generated.deepcopy.go

@@ -82,6 +82,7 @@ func (r *MaaSModelRefReconciler) gatewayNamespace() string {
 //+kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;watch
 //+kubebuilder:rbac:groups=kuadrant.io,resources=authpolicies,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=serving.kserve.io,resources=llminferenceservices,verbs=get;list;watch
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get
 
 const maasModelFinalizer = "maas.opendatahub.io/model-cleanup"
 
@@ -133,6 +134,12 @@ func (r *MaaSModelRefReconciler) Reconcile(ctx context.Context, req ctrl.Request
 		return ctrl.Result{}, nil
 	}
 
+	// Validate credentialRef namespace matches the CR namespace (prevent cross-namespace Secret access)
+	if ref := model.Spec.CredentialRef; ref != nil && ref.Namespace != "" && ref.Namespace != model.Namespace {
+		r.updateStatus(ctx, model, "Failed", "spec.credentialRef.namespace must match metadata.namespace", statusSnapshot)
+		return ctrl.Result{}, nil
+	}
+
 	if err := handler.ReconcileRoute(ctx, log, model); err != nil {
 		if errors.Is(err, ErrKindNotImplemented) {
 			r.updateStatusWithReason(ctx, model, "Failed", fmt.Sprintf("kind not implemented: %s", kind), "Unsupported", statusSnapshot)