refactor(kustomize): consolidate deployment manifests

This change introduces a single source of truth to make deployments simpler.

Existing `maas-api/deploy` manifests are promoted to top-level
`deployment` folder, reducing duplication and improving the structure.

Installation script for OpenShift has been adjusted:

- Fixed OCP version check - using cluster info instead as it's more
  reliable
- Add helpers to wait for CRDs/pods and a version comparator;
- Auto-detect and patch AuthPolicy audience; apply gateway policies in
  sequence after infra becomes ready.
- Detect existing ODH/RHOAI KServe; deploy components only when missing,
  then proceed with retries.

Signed-off-by: Bartosz Majsak <bartosz.majsak@gmail.com>

Author: bartoszmajsak

deployment/README.md

@@ -191,18 +191,13 @@ AUD="$(kubectl create token default --duration=10m \
 
 echo "Patching AuthPolicy with audience: $AUD"
 
-# Note: Auth policy path may vary depending on your deployment
-# For consolidated deployment structure:
-
-# Patch MaaS API AuthPolicy
-kubectl patch --local -f ${PROJECT_DIR}/deployment/base/policies/maas-auth-policy.yaml \
+kubectl patch authpolicy maas-api-auth-policy -n maas-api \
   --type='json' \
   -p "$(jq -nc --arg aud "$AUD" '[{
     op:"replace",
     path:"/spec/rules/authentication/openshift-identities/kubernetesTokenReview/audiences/0",
     value:$aud
-  }]')" \
-  -o yaml | kubectl apply -f -
+  }]')"
 
 ```
 ## Testing the Deployment

deployment/base/maas-api/clusterrole.yaml

@@ -1,59 +1,36 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: maas-api
-  namespace: maas-api
-  labels:
-    app: maas-api
-    version: v2
 spec:
   replicas: 1
-  selector:
-    matchLabels:
-      app: maas-api
   template:
-    metadata:
-      labels:
-        app: maas-api
-        version: v2
-      annotations:
-        sidecar.istio.io/inject: "false"
     spec:
       serviceAccountName: maas-api
       securityContext:
         runAsNonRoot: true
       containers:
       - name: maas-api
-        image: quay.io/opendatahub/maas-api:latest
+        image: maas-api
         imagePullPolicy: Always
         ports:
         - containerPort: 8080
           name: http
           protocol: TCP
         env:
-        - name: PROVIDER
-          value: "sa-tokens"
         - name: NAMESPACE
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        - name: KEY_NAMESPACE
-          value: llm
-        - name: SECRET_SELECTOR_LABEL
-          value: kuadrant.io/apikeys-by
-        - name: SECRET_SELECTOR_VALUE
-          value: rhcl-keys
-        - name: PORT
-          value: "8080"
-        - name: CREATE_DEFAULT_TEAM
-          value: "true"
-        - name: TOKEN_RATE_LIMIT_POLICY_NAME
-          value: "gateway-token-rate-limits"
-        - name: AUTH_POLICY_NAME
-          value: "gateway-auth-policy"
-        - name: GIN_MODE
-          value: "debug"
+        - name: PROVIDER
+          value: sa-tokens
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "50m"
+          limits:
+            memory: "128Mi"
+            cpu: "200m"
         livenessProbe:
           httpGet:
             path: /health
@@ -70,17 +47,11 @@ spec:
           periodSeconds: 5
           timeoutSeconds: 3
           failureThreshold: 3
-        resources:
-          requests:
-            memory: "64Mi"
-            cpu: "250m"
-          limits:
-            memory: "128Mi"
-            cpu: "500m"
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:
             drop:
             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
+      terminationGracePeriodSeconds: 30

deployment/base/maas-api/clusterrolebinding.yaml

@@ -7,9 +7,19 @@ resources:
   - namespace.yaml
   - deployment.yaml
   - service.yaml
-  - httproute.yaml
-  - maas-auth-policy.yaml
-  - tier-mapping-configmap.yaml
-  - clusterrolebinding.yaml
-  - clusterrole.yaml
-  - serviceaccount.yaml
+  - rbac
+  - networking
+  - policies
+  - resources
+
+labels:
+  - includeSelectors: true 
+    pairs:
+      app.kubernetes.io/part-of: model-as-a-service
+      app.kubernetes.io/component: api
+      app.kubernetes.io/name: maas-api
+      
+images:
+  - name: maas-api
+    newName: quay.io/opendatahub/maas-api
+    newTag: latest

deployment/base/maas-api/deployment.yaml

@@ -5,5 +5,4 @@ metadata:
   name: maas-api-gw-api-routing-infra
 
 resources:
-- gateway.yaml
 - httproute.yaml

deployment/base/maas-api/kustomization.yaml

@@ -4,5 +4,6 @@ kind: Kustomization
 metadata:
   name: maas-api-policies
 
+# This requires Kuadrant/Red Hat Connectivity Link to be installed
 resources:
 - auth-policy.yaml