chore: promote main to stable

.github/hack/cleanup-odh.sh

@@ -77,6 +77,10 @@ kubectl delete operatorgroup odh-operator-group -n odh-operator --ignore-not-fou
 echo "7. Deleting odh-operator namespace..."
 kubectl delete ns odh-operator --ignore-not-found --timeout=120s 2>/dev/null || true
 
+# 8. Delete opendatahub namespace (contains deployed components)
+echo "8. Deleting opendatahub namespace..."
+kubectl delete ns opendatahub --ignore-not-found --timeout=120s 2>/dev/null || true
+
 force_delete_namespace() {
     local ns=$1
     shift
@@ -107,10 +111,6 @@ force_delete_namespace() {
     kubectl wait --for=delete namespace/"$ns" --timeout=30s 2>/dev/null || true
 }
 
-# 8. Delete opendatahub namespace (contains deployed components)
-echo "8. Deleting opendatahub namespace..."
-force_delete_namespace "opendatahub" "maasmodelrefs.maas.opendatahub.io"
-
 # 9. Delete models-as-a-service namespace (contains MaaS CRs)
 echo "9. Deleting models-as-a-service namespace..."
 force_delete_namespace "models-as-a-service" \
@@ -120,12 +120,12 @@ force_delete_namespace "models-as-a-service" \
 for policy_ns in kuadrant-system rh-connectivity-link; do
     echo "10. Deleting $policy_ns namespace (if installed)..."
     force_delete_namespace "$policy_ns" \
-    "authorinos.operator.authorino.kuadrat.io" "kuadrants.kuadrant.io" "limitadors.limitador.kuadrant.io"
+    "authorinos.operator.authorino.kuadrant.io" "kuadrants.kuadrant.io" "limitadors.limitador.kuadrant.io"
 done
 
 # 11. Delete llm namespace and model resources
 echo "11. Deleting LLM models and namespace..."
-force_delete_namespace "llm" "llminferenceservice" "inferenceservice"
+force_delete_namespace "llm" "llminferenceservice" "inferenceservice" "maasmodelrefs.maas.opendatahub.io"
 
 # 12. Delete gateway resources in openshift-ingress
 echo "12. Deleting gateway resources..."

.github/hack/install-odh.sh

@@ -5,9 +5,12 @@
 # Prerequisites: cert-manager and LWS operators (run install-cert-manager-and-lws.sh first).
 #
 # Environment variables:
-#   OPERATOR_CATALOG - Custom catalog image (optional). When unset, uses community-operators (ODH 3.3).
+#   OPERATOR_CATALOG - Custom catalog image (optional). When unset, uses community-operators.
 #                      Set to e.g. quay.io/opendatahub/opendatahub-operator-catalog:latest for custom builds.
-#   OPERATOR_CHANNEL - Subscription channel (default: fast-3 for community, fast for custom catalog)
+#   OPERATOR_CHANNEL   - Subscription channel (default: fast-3)
+#   OPERATOR_STARTING_CSV - Pin Subscription startingCSV (default: opendatahub-operator.v3.4.0-ea.1). Set to "-" to omit.
+#   OPERATOR_INSTALL_PLAN_APPROVAL - Manual (default) or Automatic; use "-" to omit.
+#     Manual: blocks auto-upgrades; this script auto-approves only the first InstallPlan so install does not stall.
 #   OPERATOR_IMAGE   - Custom operator image to patch into CSV (optional)
 #
 # Usage: ./install-odh.sh
@@ -21,6 +24,8 @@ DATA_DIR="${REPO_ROOT}/scripts/data"
 NAMESPACE="${OPERATOR_NAMESPACE:-opendatahub}"
 OPERATOR_CATALOG="${OPERATOR_CATALOG:-}"
 OPERATOR_CHANNEL="${OPERATOR_CHANNEL:-}"
+OPERATOR_STARTING_CSV="${OPERATOR_STARTING_CSV:-}"
+OPERATOR_INSTALL_PLAN_APPROVAL="${OPERATOR_INSTALL_PLAN_APPROVAL:-}"
 OPERATOR_IMAGE="${OPERATOR_IMAGE:-}"
 
 # Source deployment helpers
@@ -59,28 +64,38 @@ patch_operator_csv_if_needed() {
 echo "=== Installing OpenDataHub operator ==="
 echo ""
 
-# 1. Catalog setup: use community-operators (ODH 3.3) by default, or custom catalog when OPERATOR_CATALOG is set
+# 1. Catalog setup: community-operators by default, or custom catalog when OPERATOR_CATALOG is set
 echo "1. Setting up ODH catalog..."
 if [[ -n "$OPERATOR_CATALOG" ]]; then
   echo "   Using custom catalog: $OPERATOR_CATALOG"
   create_custom_catalogsource "odh-custom-catalog" "openshift-marketplace" "$OPERATOR_CATALOG"
   catalog_source="odh-custom-catalog"
-  channel="${OPERATOR_CHANNEL:-fast}"
+  channel="${OPERATOR_CHANNEL:-fast-3}"
 else
-  echo "   Using community-operators (ODH 3.3)"
+  echo "   Using community-operators"
   catalog_source="community-operators"
   channel="${OPERATOR_CHANNEL:-fast-3}"
 fi
 
+# Pin to ODH 3.4 EA1 unless overridden (omit with OPERATOR_STARTING_CSV=- to follow channel head)
+starting_csv="${OPERATOR_STARTING_CSV:-opendatahub-operator.v3.4.0-ea.1}"
+[[ "$starting_csv" == "-" ]] && starting_csv=""
+
+# Manual = no auto-upgrades; install_olm_operator still approves the first InstallPlan programmatically
+plan_approval="${OPERATOR_INSTALL_PLAN_APPROVAL:-Manual}"
+[[ "$plan_approval" == "-" ]] && plan_approval=""
+
 # 2. Install ODH operator via OLM
 echo "2. Installing ODH operator..."
 install_olm_operator \
   "opendatahub-operator" \
   "$NAMESPACE" \
   "$catalog_source" \
   "$channel" \
-  "" \
-  "AllNamespaces"
+  "$starting_csv" \
+  "AllNamespaces" \
+  "openshift-marketplace" \
+  "$plan_approval"
 
 # 3. Patch CSV with custom image if specified
 if [[ -n "$OPERATOR_IMAGE" ]]; then

.gitignore

@@ -29,6 +29,7 @@ __pycache__/
 *$py.class
 *.so
 .Python
+.venv/
 env/
 venv/
 ENV/
@@ -37,8 +38,19 @@ venv.bak/
 pip-log.txt
 pip-delete-this-directory.txt
 .coverage
+coverage.xml
 .pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.tox/
 htmlcov/
+
+# Test / build reports
+reports/
+
+# OS / editor cruft
+.DS_Store
+.vscode/
 apps/frontend/.env.local
 apps/backend/.env
 CLAUDE.md

.gitleaks.toml

@@ -0,0 +1,67 @@
+# Gitleaks configuration for opendatahub-io repos
+# Synced from security-config. Do not edit in target repos.
+#
+# Path allowlists use Go regex syntax.
+# Real credentials should NEVER be committed to any repository.
+
+[extend]
+  useDefault = true
+
+[allowlist]
+  description = "Exclude test fixtures, mock data, sample configs, and CI resources"
+  paths = [
+    # Go test files (commonly contain mock credentials)
+    '''.*_test\.go$''',
+
+    # JS/TS test files (.spec.ts, .test.tsx, etc.)
+    '''.*\.spec\.(ts|tsx|js|jsx)$''',
+    '''.*\.test\.(ts|tsx|js|jsx)$''',
+
+    # JS/TS test directories
+    '''__tests__/''',
+
+    # Go testdata directories
+    '''testdata/''',
+
+    # Python test data directories
+    '''test_data/''',
+
+    # Test fixtures
+    '''fixtures/''',
+
+    # JavaScript/TypeScript mocks
+    '''__mocks__/''',
+
+    # Go/Java/TS mock directories
+    '''mocks/''',
+    '''k8mocks/''',
+
+    # Sample and example configs with placeholder credentials
+    '''docs/samples/''',
+    '''config/samples/''',
+    '''config/overlays/test/''',
+
+    # CI/GitHub Actions test resources
+    '''\.github/resources/''',
+
+    # E2E test credentials
+    '''test/e2e/credentials/''',
+    '''tests/e2e/credentials/''',
+
+    # OpenShift CI sample resources
+    '''openshift-ci/resources/samples/''',
+
+    # Cypress test data
+    '''cypress/fixtures/''',
+    '''cypress/tests/mocked/''',
+
+    # Test certificate and key files
+    '''tests/data/.*\.(pem|crt|key)$''',
+  ]
+
+  # Known test/placeholder credentials used in documentation and tests
+  regexes = [
+    '''database-password\s*:\s*"?(The)?BlurstOfTimes"?''',
+    '''database-user\s*:\s*"?mlmduser"?''',
+    '''database-user\s*:\s*"?modelregistryuser"?''',
+  ]

.gitleaksignore

@@ -0,0 +1,5 @@
+# Gitleaks ignore file
+# Add false positive fingerprints below (one per line)
+# Format: commit:file:rule-id:line or file:rule-id:line
+#
+# For path-based exclusions, use .gitleaks.toml allowlist instead.

.tekton/odh-maas-api-pull-request.yaml

@@ -29,6 +29,12 @@ spec:
     value: maas-api/Dockerfile
   - name: path-context
     value: maas-api
+  - name: build-platforms
+    value:
+    - linux/x86_64
+    - linux/arm64
+    - linux/ppc64le
+    - linux/s390x
   - name: additional-tags
     value:
     - 'odh-pr-{{revision}}'

.tekton/odh-maas-api-push.yaml

@@ -28,6 +28,12 @@ spec:
     value: maas-api/Dockerfile
   - name: path-context
     value: maas-api
+  - name: build-platforms
+    value:
+    - linux/x86_64
+    - linux/arm64
+    - linux/ppc64le
+    - linux/s390x
   pipelineRef:
     resolver: git
     params:

.tekton/odh-maas-controller-pull-request.yaml

@@ -34,6 +34,12 @@ spec:
     - 'odh-pr-{{revision}}'
   - name: pipeline-type
     value: pull-request
+  - name: build-platforms
+    value:
+    - linux/x86_64
+    - linux/arm64
+    - linux/ppc64le
+    - linux/s390x
   pipelineRef:
     resolver: git
     params:

.tekton/odh-maas-controller-push.yaml

@@ -28,6 +28,12 @@ spec:
     value: Dockerfile
   - name: path-context
     value: maas-controller
+  - name: build-platforms
+    value:
+    - linux/x86_64
+    - linux/arm64
+    - linux/ppc64le
+    - linux/s390x
   pipelineRef:
     resolver: git
     params:

OWNERS

@@ -4,6 +4,7 @@ approvers:
   - chaitanya1731
   - nerdalert
   - jland-redhat
+  - nirrozenbaum
   - dmytro-zaharnytskyi
   - SB159
   - noyitz
@@ -21,6 +22,7 @@ reviewers:
   - chaitanya1731
   - nerdalert
   - jland-redhat
+  - nirrozenbaum
   - dmytro-zaharnytskyi
   - SB159
   - noyitz

README.md

@@ -59,12 +59,9 @@ For detailed instructions, see the [Deployment Guide](docs/content/quickstart.md
 |------|--------|---------|-------------|
 | `--deployment-mode` | `operator`, `kustomize` | `operator` | Deployment method |
 | `--operator-type` | `rhoai`, `odh` | `rhoai` | Which operator to install |
-| `--policy-engine` | `rhcl`, `kuadrant` | auto | Gateway policy engine (rhcl for operators, kuadrant for kustomize) |
 | `--enable-tls-backend` | flag | enabled | TLS for Authorino ↔ MaaS API |
-| `--skip-certmanager` | flag | auto-detect | Skip cert-manager installation |
-| `--skip-lws` | flag | auto-detect | Skip LeaderWorkerSet installation |
+| `--disable-tls-backend` | flag | `false` | Disable TLS backend |
 | `--namespace` | string | auto | Target namespace |
-| `--timeout` | seconds | `300` | Operation timeout |
 | `--verbose` | flag | false | Enable debug logging |
 | `--dry-run` | flag | false | Show plan without executing |
 | `--help` | flag | - | Display full help |
@@ -82,14 +79,16 @@ For detailed instructions, see the [Deployment Guide](docs/content/quickstart.md
 | Variable | Description | Example |
 |----------|-------------|---------|
 | `MAAS_API_IMAGE` | Custom MaaS API container image (works in both operator and kustomize modes) | `quay.io/user/maas-api:pr-123` |
+| `MAAS_CONTROLLER_IMAGE` | Custom MaaS controller container image | `quay.io/user/maas-controller:pr-123` |
 | `OPERATOR_CATALOG` | Custom operator catalog | `quay.io/opendatahub/catalog:pr-456` |
 | `OPERATOR_IMAGE` | Custom operator image | `quay.io/opendatahub/operator:pr-456` |
 | `OPERATOR_TYPE` | Operator type (rhoai/odh) | `odh` |
-| `POLICY_ENGINE` | Policy engine (rhcl/kuadrant) | `kuadrant` |
 | `LOG_LEVEL` | Logging verbosity | `DEBUG`, `INFO`, `WARN`, `ERROR` |
 
 **Note:** TLS backend is enabled by default. Use `--disable-tls-backend` to disable.
 
+**Note:** The policy engine is auto-determined based on operator type (`rhcl` for RHOAI, `kuadrant` for ODH/kustomize) and does not need to be set manually.
+
 ### Deployment Examples
 
 #### Standard Deployments
@@ -119,9 +118,6 @@ MAAS_API_IMAGE=quay.io/myuser/maas-api:pr-123 \
 #### Minimal Deployments
 
 ```bash
-# Skip optional operators (if already installed)
-./scripts/deploy.sh --skip-certmanager --skip-lws
-
 # Deploy without TLS backend (HTTP tier lookup)
 ./scripts/deploy.sh --disable-tls-backend
 ```

deployment/base/maas-api/core/deployment.yaml

@@ -24,6 +24,8 @@ spec:
               fieldPath: metadata.namespace
         - name: SECURE
           value: "false"
+        - name: MAAS_SUBSCRIPTION_NAMESPACE
+          value: "models-as-a-service"
         resources:
           requests:
             memory: "64Mi"