key manager poc (#19)

Signed-off-by: Brent Salisbury <bsalisbu@redhat.com>

Author: nerdalert

deployment/kuadrant-openshift/key-manager/00-platform-services-namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: platform-services
+  labels:
+    istio-injection: disabled

deployment/kuadrant-openshift/key-manager/01-rbac.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: key-manager
+  namespace: platform-services
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: key-manager-secrets
+  namespace: llm
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get","list","create","delete","watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: key-manager-secrets
+  namespace: llm
+subjects:
+- kind: ServiceAccount
+  name: key-manager
+  namespace: platform-services
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: key-manager-secrets
+---
+# Optional: Allow key-manager to read HTTPRoutes for discovery endpoint
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: key-manager-httproutes
+  namespace: llm
+rules:
+- apiGroups: ["gateway.networking.k8s.io"]
+  resources: ["httproutes"]
+  verbs: ["get","list","watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: key-manager-httproutes
+  namespace: llm
+subjects:
+- kind: ServiceAccount
+  name: key-manager
+  namespace: platform-services
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: key-manager-httproutes

deployment/kuadrant-openshift/key-manager/02-deployment.yaml

@@ -0,0 +1,96 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: key-manager
+  namespace: platform-services
+  labels:
+    app: key-manager
+    version: v1
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: key-manager
+  template:
+    metadata:
+      labels:
+        app: key-manager
+        version: v1
+      annotations:
+        sidecar.istio.io/inject: "false"
+    spec:
+      serviceAccountName: key-manager
+      securityContext:
+        runAsNonRoot: true
+      containers:
+      - name: api
+        image: ghcr.io/nerdalert/maas-key-manager:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
+        env:
+        - name: KEY_NAMESPACE
+          value: llm
+        - name: SECRET_SELECTOR_LABEL
+          value: kuadrant.io/apikeys-by
+        - name: SECRET_SELECTOR_VALUE
+          value: rhcl-keys
+        - name: DISCOVERY_ROUTE
+          value: inference-route
+        - name: PORT
+          value: "8080"
+        - name: ADMIN_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: key-manager-admin
+              key: admin-key
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: http
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          timeoutSeconds: 3
+          failureThreshold: 3
+        resources:
+          requests:
+            memory: "64Mi"
+            cpu: "250m"
+          limits:
+            memory: "128Mi"
+            cpu: "500m"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: key-manager
+  namespace: platform-services
+  labels:
+    app: key-manager
+spec:
+  selector:
+    app: key-manager
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080
+    protocol: TCP
+  type: ClusterIP

deployment/kuadrant-openshift/key-manager/03-auth-policy.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: kuadrant.io/v1
+kind: AuthPolicy
+metadata:
+  name: gateway-auth-policy
+  namespace: llm
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: inference-gateway
+  rules:
+    authentication:
+      api-key-users-apikey:
+        apiKey:
+          allNamespaces: true
+          selector:
+            matchLabels:
+              kuadrant.io/apikeys-by: rhcl-keys
+        credentials:
+          authorizationHeader:
+            prefix: APIKEY
+      api-key-users-bearer:
+        apiKey:
+          allNamespaces: true
+          selector:
+            matchLabels:
+              kuadrant.io/apikeys-by: rhcl-keys
+        credentials:
+          authorizationHeader:
+            prefix: Bearer
+    response:
+      success:
+        filters:
+          identity:
+            json:
+              properties:
+                userid:
+                  selector: auth.identity.metadata.labels.maas/user-id
+                groups:
+                  selector: auth.identity.metadata.labels.maas/user-id

deployment/kuadrant-openshift/key-manager/04-token-rate-limit-policy.yaml

@@ -0,0 +1,21 @@
+# Gateway-level Token Rate Limiting Policy for key-manager integration
+# Automatically tracks tokens from response bodies (usage.total_tokens)
+# Uses user groups from secret annotations set by key-manager
+---
+apiVersion: kuadrant.io/v1alpha1
+kind: TokenRateLimitPolicy
+metadata:
+  name: gateway-token-rate-limits
+  namespace: llm
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: inference-gateway
+  limits:
+    all-users-tokens:
+      rates:
+        - limit: 10000
+          window: 1m
+      counters:
+        - expression: auth.identity.userid

deployment/kuadrant-openshift/key-manager/05-external-access.yaml

@@ -0,0 +1,61 @@
+# Optional: External access for remote key management
+# Choose ONE of the options below based on your cluster setup TODO: pick one
+
+# Option 1: OpenShift Route (for OpenShift clusters)
+---
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: key-manager-route
+  namespace: platform-services
+spec:
+  to:
+    kind: Service
+    name: key-manager
+  port:
+    targetPort: http
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
+
+# Option 2: Kubernetes Ingress (for other clusters)  
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: key-manager-ingress
+  namespace: platform-services
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+spec:
+  tls:
+  - hosts:
+    - key-manager.your-domain.com
+    secretName: key-manager-tls
+  rules:
+  - host: key-manager.your-domain.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: key-manager
+            port:
+              number: 80
+
+# Option 3: LoadBalancer Service (for cloud providers)
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: key-manager-external
+  namespace: platform-services
+spec:
+  type: LoadBalancer
+  selector:
+    app: key-manager
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080

deployment/kuadrant-openshift/key-manager/06-admin-secret.yaml

@@ -0,0 +1,11 @@
+# Admin API key secret for key-manager authentication
+# Generate a secure admin key and replace the placeholder
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: key-manager-admin
+  namespace: platform-services
+type: Opaque
+stringData:
+  admin-key: "<INSERT-ADMIN-KEY>"

deployment/kuadrant-openshift/key-manager/07-key-manager-routing.yaml

@@ -0,0 +1,26 @@
+# HTTPRoute for Key Manager Service
+# Provides external access via domain-based routing
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: key-manager-domain-route
+  namespace: llm
+  labels:
+    kuadrant.io/gateway: inference-gateway
+spec:
+  parentRefs:
+    - name: inference-gateway
+      namespace: llm
+  hostnames:
+    - "key-manager.apps.summit-gpu.octo-emerging.redhataicoe.com"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: key-manager
+          namespace: platform-services
+          port: 80
+          weight: 100

deployment/kuadrant-openshift/key-manager/08-reference-grant.yaml

@@ -0,0 +1,17 @@
+# ReferenceGrant to allow HTTPRoute in llm namespace to reference 
+# key-manager service in platform-services namespace
+---
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: key-manager-access
+  namespace: platform-services
+spec:
+  from:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    namespace: llm
+  to:
+  - group: ""
+    kind: Service
+    name: key-manager

deployment/kuadrant-openshift/key-manager/09-key-manager-route.yaml

@@ -0,0 +1,19 @@
+# OpenShift Route for Key Manager Service
+# Directs traffic from OpenShift router to Istio gateway
+---
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: key-manager-route
+  namespace: llm
+  labels:
+    app: maas-gateway
+spec:
+  host: key-manager.apps.summit-gpu.octo-emerging.redhataicoe.com
+  port:
+    targetPort: 80
+  to:
+    kind: Service
+    name: inference-gateway-istio
+    weight: 100
+  wildcardPolicy: None