Skip to content

Commit 97865c6

Browse files
jrhynessjrhyness
committed
Merge branch 'main' into jr_55467
2 parents f4078fb + de748ab commit 97865c6

File tree

76 files changed

+4234
-1445
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

76 files changed

+4234
-1445
lines changed

.github/hack/cleanup-odh.sh

Lines changed: 30 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
# - ODH operator namespace (odh-operator)
1010
# - OpenDataHub application namespace (opendatahub)
1111
# - MaaS subscription namespace (models-as-a-service)
12+
# - Keycloak identity provider (if deployed)
1213
# - ODH CRDs (optional)
1314
#
1415
# Usage: ./cleanup-odh.sh [--include-crds]
@@ -123,33 +124,52 @@ for policy_ns in kuadrant-system rh-connectivity-link; do
123124
"authorinos.operator.authorino.kuadrant.io" "kuadrants.kuadrant.io" "limitadors.limitador.kuadrant.io"
124125
done
125126

126-
# 11. Delete llm namespace and model resources
127-
echo "11. Deleting LLM models and namespace..."
127+
# 11. Delete Keycloak identity provider (if installed)
128+
echo "11. Deleting Keycloak namespace (if installed)..."
129+
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd ../.. && pwd)"
130+
if [[ -f "${SCRIPT_DIR}/scripts/cleanup-keycloak.sh" ]]; then
131+
# Pass --delete-crds if --include-crds was specified for this script
132+
if $INCLUDE_CRDS; then
133+
"${SCRIPT_DIR}/scripts/cleanup-keycloak.sh" --force --delete-crds 2>/dev/null || true
134+
else
135+
"${SCRIPT_DIR}/scripts/cleanup-keycloak.sh" --force 2>/dev/null || true
136+
fi
137+
else
138+
# Fallback if cleanup script not found - direct cleanup
139+
force_delete_namespace "keycloak-system" "keycloaks.k8s.keycloak.org"
140+
if $INCLUDE_CRDS; then
141+
kubectl delete crd keycloaks.k8s.keycloak.org --ignore-not-found 2>/dev/null || true
142+
kubectl delete crd keycloakrealmimports.k8s.keycloak.org --ignore-not-found 2>/dev/null || true
143+
fi
144+
fi
145+
146+
# 12. Delete llm namespace and model resources
147+
echo "12. Deleting LLM models and namespace..."
128148
force_delete_namespace "llm" "llminferenceservice" "inferenceservice" "maasmodelrefs.maas.opendatahub.io"
129149

130-
# 12. Delete gateway resources in openshift-ingress
131-
echo "12. Deleting gateway resources..."
150+
# 13. Delete gateway resources in openshift-ingress
151+
echo "13. Deleting gateway resources..."
132152
kubectl delete gateway maas-default-gateway -n openshift-ingress --ignore-not-found 2>/dev/null || true
133153
kubectl delete envoyfilter -n openshift-ingress -l kuadrant.io/managed=true --ignore-not-found 2>/dev/null || true
134154
kubectl delete envoyfilter kuadrant-auth-tls-fix -n openshift-ingress --ignore-not-found 2>/dev/null || true
135155
kubectl delete authpolicy -n openshift-ingress --all --ignore-not-found 2>/dev/null || true
136156
kubectl delete ratelimitpolicy -n openshift-ingress --all --ignore-not-found 2>/dev/null || true
137157
kubectl delete tokenratelimitpolicy -n openshift-ingress --all --ignore-not-found 2>/dev/null || true
138158

139-
# 13. Delete MaaS RBAC (ClusterRoles, ClusterRoleBindings - can conflict with other managers)
140-
echo "13. Deleting MaaS RBAC..."
159+
# 14. Delete MaaS RBAC (ClusterRoles, ClusterRoleBindings - can conflict with other managers)
160+
echo "14. Deleting MaaS RBAC..."
141161
kubectl delete clusterrolebinding maas-api maas-controller-rolebinding --ignore-not-found 2>/dev/null || true
142162
kubectl delete clusterrole maas-api maas-controller-role --ignore-not-found 2>/dev/null || true
143163

144-
# 14. Optionally delete CRDs
164+
# 15. Optionally delete CRDs
145165
if $INCLUDE_CRDS; then
146-
echo "14. Deleting ODH CRDs..."
166+
echo "15. Deleting ODH CRDs..."
147167
kubectl delete crd datascienceclusters.datasciencecluster.opendatahub.io --ignore-not-found 2>/dev/null || true
148168
kubectl delete crd dscinitializations.dscinitialization.opendatahub.io --ignore-not-found 2>/dev/null || true
149169
kubectl delete crd datasciencepipelinesapplications.datasciencepipelinesapplications.opendatahub.io --ignore-not-found 2>/dev/null || true
150170
# Add more CRDs as needed
151171
else
152-
echo "14. Skipping CRD deletion (use --include-crds to remove CRDs)"
172+
echo "15. Skipping CRD deletion (use --include-crds to remove CRDs)"
153173
fi
154174

155175
echo ""
@@ -158,4 +178,4 @@ echo ""
158178
echo "Verify cleanup with:"
159179
echo " kubectl get subscription -A | grep -i odh"
160180
echo " kubectl get csv -A | grep -i odh"
161-
echo " kubectl get ns | grep -E 'odh|opendatahub|models-as-a-service|kuadrant|rh-connectivity-link|llm'"
181+
echo " kubectl get ns | grep -E 'odh|opendatahub|models-as-a-service|kuadrant|rh-connectivity-link|keycloak-system|llm'"

CONTRIBUTING.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,8 @@ This project follows a **Stream-Lake-Ocean** release model. Code flows from acti
5757
|------|--------|
5858
| `scripts/` | Deployment and install scripts (e.g. `deploy.sh`, `deployment-helpers.sh`, `install-dependencies.sh`) |
5959
| `deployment/` | Kustomize manifests (base, overlays, networking, components) |
60-
| `maas-api/` | Go API service (keys, tokens, tiers); see [maas-api/README.md](maas-api/README.md) |
60+
| `maas-api/` | Go API service (keys, tokens, subscriptions); see [maas-api/README.md](maas-api/README.md) |
61+
| `maas-controller/` | Kubernetes controller for MaaS CRDs; see [maas-controller/README.md](maas-controller/README.md) |
6162
| `docs/` | User and admin documentation (MkDocs); [online docs](https://opendatahub-io.github.io/models-as-a-service/) |
6263
| `test/` | E2E and billing/smoke tests |
6364
| `.github/workflows/` | CI (build, PR title validation, MaaS API lint/build) |

OWNERS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,3 +34,4 @@ reviewers:
3434
- somya-bhatnagar
3535
- liangwen12year
3636
- ryancham715
37+
- EgorLu

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ MAAS_API_IMAGE=quay.io/myuser/maas-api:pr-123 \
120120
#### Minimal Deployments
121121

122122
```bash
123-
# Deploy without TLS backend (HTTP tier lookup)
123+
# Deploy without TLS backend (HTTP for Authorino to maas-api)
124124
./scripts/deploy.sh --disable-tls-backend
125125
```
126126

deployment/base/maas-api/core/cronjob-cleanup.yaml

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
apiVersion: batch/v1
2+
kind: CronJob
3+
metadata:
4+
name: maas-api-key-cleanup
5+
spec:
6+
schedule: "*/15 * * * *"
7+
concurrencyPolicy: Forbid
8+
successfulJobsHistoryLimit: 3
9+
failedJobsHistoryLimit: 3
10+
jobTemplate:
11+
spec:
12+
activeDeadlineSeconds: 60
13+
backoffLimit: 2
14+
template:
15+
metadata:
16+
labels:
17+
app: maas-api-cleanup
18+
spec:
19+
serviceAccountName: maas-api
20+
restartPolicy: OnFailure
21+
securityContext:
22+
runAsNonRoot: true
23+
containers:
24+
- name: cleanup
25+
image: curlimages/curl:8.19.0
26+
command:
27+
- /bin/sh
28+
- -c
29+
- |
30+
curl -sf -X POST http://maas-api:8080/internal/v1/api-keys/cleanup
31+
resources:
32+
requests:
33+
memory: "16Mi"
34+
cpu: "10m"
35+
limits:
36+
memory: "32Mi"
37+
cpu: "50m"
38+
securityContext:
39+
allowPrivilegeEscalation: false
40+
capabilities:
41+
drop:
42+
- ALL
43+
readOnlyRootFilesystem: true
44+
runAsNonRoot: true

deployment/base/maas-api/core/kustomization.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ kind: Kustomization
44
resources:
55
- deployment.yaml
66
- service.yaml
7+
- cronjob-cleanup.yaml
8+
- networkpolicy-cleanup.yaml
79

810
images:
911
- name: maas-api

deployment/base/maas-api/core/networkpolicy-cleanup.yaml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
apiVersion: networking.k8s.io/v1
2+
kind: NetworkPolicy
3+
metadata:
4+
name: maas-api-cleanup-restrict
5+
spec:
6+
# Restrict CronJob cleanup pods: they can only communicate with maas-api on port 8080.
7+
# This prevents the cleanup pods from being used as a pivot to access other services.
8+
# Note: L4 NetworkPolicy cannot restrict by URL path; the /internal/ endpoint is
9+
# additionally protected by not being exposed via the external Service/Route.
10+
podSelector:
11+
matchLabels:
12+
app: maas-api-cleanup
13+
policyTypes:
14+
- Egress
15+
- Ingress
16+
ingress: []
17+
egress:
18+
- to:
19+
- podSelector:
20+
matchLabels:
21+
app.kubernetes.io/name: maas-api
22+
ports:
23+
- protocol: TCP
24+
port: 8080
25+
# Allow DNS resolution
26+
- to:
27+
ports:
28+
- protocol: UDP
29+
port: 53
30+
- protocol: TCP
31+
port: 53

deployment/base/maas-api/default/kustomization.yaml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ resources:
88
- ../rbac
99
- ../networking
1010
- ../policies
11-
- ../resources
1211

1312
labels:
1413
- includeSelectors: true

deployment/base/maas-api/rbac/clusterrole.yaml

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,10 +3,6 @@ kind: ClusterRole
33
metadata:
44
name: maas-api
55
rules:
6-
- apiGroups: [""]
7-
resources: ["configmaps"]
8-
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
9-
106
# Database configuration secret
117
- apiGroups: [""]
128
resources: ["secrets"]
@@ -35,6 +31,7 @@ rules:
3531
resources: ["subjectaccessreviews"]
3632
verbs: ["create"]
3733

34+
3835
# MaaS CRs for the models endpoint and subscription selector (cached via informer)
3936
- apiGroups: ["maas.opendatahub.io"]
4037
resources: ["maasmodelrefs", "maassubscriptions"]

deployment/base/maas-api/resources/kustomization.yaml

Lines changed: 0 additions & 8 deletions
This file was deleted.

0 commit comments

Comments
 (0)