chore: simplifies manifest structure (#98)

* chore: simplifies manifest structure

This PR simplifies maas-api manifests and promote re-use.

It also provides clear, documented overlays for
common install paths (ODH operator, dev, secrets).

## Detailed Changeset

### RBAC

Trimmed RBAC definitions by moving secret-specific rules to dedicated
overlay.

### Policies

Separate Gateway-level policies from MaaS API access.

### Overlays

`odh`: operator-specific install with ConfigMap-driven image replacement.
`secret`: Secret-provider variant (adds ADMIN_API_KEY and provider patch + RBAC).
`dev`: tidied, keeps debug patch and local infra wiring.

### Other changes

* Uses SA Token provider as default deployment mode, to use Secret-based
  one build dedicated overlay
* Makefile: introduce deploy helper and deploy-dev/deploy targets; image set via kustomize.

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>

* fix: corrects image repository for odh overlay

Co-authored-by: Edgar Hernández <ehernand@redhat.com>

* chore(make): no need to check REPO variable (#99)

It is always defaulted and if explictly set to blank the push will fail regardless.

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>

* chore: simplifies manifest structure

This PR simplifies maas-api manifests and promote re-use.

It also provides clear, documented overlays for
common install paths (ODH operator, dev, secrets).

## Detailed Changeset

### RBAC

Trimmed RBAC definitions by moving secret-specific rules to dedicated
overlay.

### Policies

Separate Gateway-level policies from MaaS API access.

### Overlays

`odh`: operator-specific install with ConfigMap-driven image replacement.
`secret`: Secret-provider variant (adds ADMIN_API_KEY and provider patch + RBAC).
`dev`: tidied, keeps debug patch and local infra wiring.

### Other changes

* Uses SA Token provider as default deployment mode, to use Secret-based
  one build dedicated overlay
* Makefile: introduce deploy helper and deploy-dev/deploy targets; image set via kustomize.

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>

; Conflicts:
;	maas-api/DEV.md
;	maas-api/deploy/overlays/odh/params.env

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>

---------

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>
Co-authored-by: Edgar Hernández <ehernand@redhat.com>

Author: bartoszmajsak

maas-api/DEV.md

@@ -4,7 +4,7 @@
 
 - kubectl
 - jq
-- kustomize
+- kustomize 5.7
 - OCP 4.19.9+ (for GW API)
 - [jwt](https://github.com/mike-engel/jwt-cli) CLI tool (for inspecting tokens)
 
@@ -48,10 +48,7 @@ kustomize build ${PROJECT_DIR}/maas-api/deploy/infra/odh | kubectl apply --serve
 ### Deploying MaaS API for development
 
 ```shell
-make deploy-dev \
-  -e REPO=quay.io/bmajsak/maas-api \
-  -e TAG=latest \
-  -e PRE_DEPLOY_STEP='kustomize edit add patch --group apps --kind Deployment --path patches/sa-token-provider.yaml'
+make deploy-dev
 ```
 
 This will:
@@ -99,12 +96,12 @@ AUD="$(kubectl create token default --duration=10m \
 
 echo "Patching AuthPolicy with audience: $AUD"
 
-kubectl patch --local -f ${PROJECT_DIR}/maas-api/deploy/policies/auth-policy.yaml \
+kubectl patch --local -f ${PROJECT_DIR}/maas-api/deploy/policies/maas-api/auth-policy.yaml \
   --type='json' \
   -p "$(jq -nc --arg aud "$AUD" '[{
     op:"replace",
-    path:"/spec/rules/authentication/openshift-identities/kubernetesTokenReview/audiences",
-    value:[$aud]
+    path:"/spec/rules/authentication/openshift-identities/kubernetesTokenReview/audiences/0",
+    value:$aud
   }]')" \
   -o yaml | kubectl apply -f -
 ```

maas-api/Makefile

@@ -108,17 +108,27 @@ push-image: ## Push container image (use REPO= and TAG= to specify image)
 .PHONY: build-push-image
 build-push-image: build-image push-image ## Build and push container image
 
+## Deployment
+
 PRE_DEPLOY_STEP ?=
-.PHONY: deploy-dev
-deploy-dev: ## Deploy to development
+define deploy
 	kubectl create namespace maas-api || true
-	cd $(PROJECT_DIR)/deploy/overlays/dev && \
+	cd $(PROJECT_DIR)/deploy/$(1) && \
 		set -eu; \
 		cp kustomization.yaml kustomization.yaml.backup && \
 		trap 'mv kustomization.yaml.backup kustomization.yaml 2>/dev/null || true' EXIT INT TERM && \
 		kustomize edit set image maas-api=$(FULL_IMAGE) && \
 		$(if $(PRE_DEPLOY_STEP),$(PRE_DEPLOY_STEP) &&) \
 		kustomize build . | kubectl apply -f -
+endef
+
+.PHONY: deploy-dev
+deploy-dev: ## Deploy development version
+	$(call deploy,overlays/dev)
+
+.PHONY: deploy
+deploy: ## Deploy base component
+	$(call deploy,base)
 
 default_run_flags := --debug
 RUN_FLAGS ?= 

maas-api/deploy/README.md

@@ -0,0 +1,32 @@
+## Overview
+
+```shell
+├── base          <1>
+├── infra         <2>
+│   ├── kuadrant
+│   ├── odh       <*>
+│   └── openshift-gateway-api
+├── models        <3>
+├── overlays      <4>
+│   ├── dev
+│   ├── odh
+│   └── secret
+├── policies      <5>
+└── rbac          <6>
+```
+
+**<1> base** - Core MaaS API deployment manifests (service, deployment) with common labels and RBAC
+
+**<2> infra** - Infrastructure dependencies for Gateway API, Kuadrant, and OpenDataHub integration
+  * `<*>` - ODH minimal deployment to support models (`LLMInferenceService` machinery)
+
+**<3> models** - Model simulation resources for testing and development environments
+
+**<4> overlays** - Environment-specific configurations:
+- `dev` - Development overlay with debug mode and local infrastructure
+- `odh` - OpenDataHub operator overlay for core MaaS API component deployment (no policies/infra)
+- `secret` - Secret provider-based deployment configuration
+
+**<5> policies** - Kuadrant policies for authentication, rate limiting, and token management
+
+**<6> rbac** - Role-based access control manifests (ServiceAccount, ClusterRole, ClusterRoleBinding)

maas-api/deploy/base/deployment.yaml

@@ -11,7 +11,7 @@ spec:
         runAsNonRoot: true
       containers:
       - name: maas-api
-        image: maas-api:latest
+        image: maas-api
         imagePullPolicy: Always
         ports:
         - containerPort: 8080
@@ -22,11 +22,6 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        - name: ADMIN_API_KEY
-          valueFrom:
-            secretKeyRef:
-              name: maas-api-admin-secret
-              key: admin-api-key
         resources:
           requests:
             memory: "64Mi"

maas-api/deploy/base/kustomization.yaml

@@ -12,31 +12,8 @@ resources:
 namespace: maas-api
 
 labels:
-- pairs:
-    app.kubernetes.io/name: maas-api
+- includeSelectors: true
+  pairs:
     app.kubernetes.io/component: api
-  includeSelectors: true
-
-# See https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kustomize/
-secretGenerator:
-- name: maas-api-admin-secret
-  envs:
-  - admin.secret.env # secret for the admin API key, e.g. `admin-api-key=letmein`
-
-# This approach is used across odh components to set the image through GitOps
-configMapGenerator:
-- name: maas-api-config
-  envs:
-  - params.env
+    app.kubernetes.io/name: maas-api
 
-replacements:
-- source:
-    kind: ConfigMap
-    name: maas-api-config
-    fieldPath: data.maas-api-image
-  targets:
-  - select:
-      kind: Deployment
-      name: maas-api
-    fieldPaths:
-    - spec.template.spec.containers.[name=maas-api].image

maas-api/deploy/infra/odh/kustomization.yaml

@@ -3,7 +3,8 @@ kind: Kustomization
 
 metadata:
   name: odh-infra
-
+  
+# Set of Kustomize manifests with OpenDataHub components required for MaaS.
 # For now, install only Model Serving pieces
 resources:
 - github.com/opendatahub-io/kserve/config/overlays/odh?ref=release-v0.15

maas-api/deploy/overlays/dev/infra/networking/httproute.yaml

@@ -1,7 +1,8 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: maas-api-dev-route
+  name: maas-api-route
+  namespace: maas-api
 spec:
   parentRefs:
     - name: openshift-ai-inference

maas-api/deploy/overlays/dev/infra/networking/kustomization.yaml

@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 metadata:
-  name: maas-api-networking-infra
+  name: maas-api-gw-api-routing-infra
 
 resources:
 - gateway.yaml

maas-api/deploy/overlays/dev/kustomization.yaml

@@ -16,17 +16,9 @@ transformers:
 - transformers/namespace.yaml
 
 patches:
-- path: patches/debug-mode-patch.yaml
+- path: patches/debug-mode.yaml
 
-# Overwrite the image to use the local image set through kustomize edit set image
-# This is needed because the image is set in the base/deployment.yaml using params.env "injection"
 images:
 - name: maas-api
-  newName: quay.io/opendatahub/maas-api:latest
+  newName: quay.io/opendatahub/maas-api
   newTag: latest
-
-secretGenerator:
-- name: maas-api-admin-secret
-  behavior: replace
-  literals:
-  - admin-api-key=letmein