opendatahub-io
diff --git a/‎Makefile‎
Lines changed: 120 additions & 8 deletions b/‎Makefile‎
Lines changed: 120 additions & 8 deletions
diff --git a/‎charts/maas/Chart.yaml‎
Lines changed: 16 additions & 0 deletions b/‎charts/maas/Chart.yaml‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎charts/maas/crds/maas.opendatahub.io_externalmodels.yaml‎
Lines changed: 164 additions & 0 deletions b/‎charts/maas/crds/maas.opendatahub.io_externalmodels.yaml‎
Lines changed: 164 additions & 0 deletions
@@ -1,11 +1,15 @@
 .PHONY: deploy deploy-all undeploy undeploy-kserve status help check-kubeconfig sync clear-cache
 .PHONY: deploy-cert-manager deploy-istio deploy-lws deploy-rhcl deploy-kserve deploy-opendatahub-prerequisites deploy-cert-manager-pki
-.PHONY: undeploy-rhcl test conformance deploy-mock-model clean-mock-model
+.PHONY: undeploy-rhcl deploy-maas undeploy-maas test conformance deploy-mock-model clean-mock-model lint
+.PHONY: demo-setup demo-run demo-cleanup demo-all setup-maas-tls
 
 HELMFILE_CACHE := $(HOME)/.cache/helmfile
 # Auto-detect KServe namespace: redhat-ods-applications (EA2) or opendatahub (EA1)
 KSERVE_NAMESPACE ?= $(shell kubectl get deployment llmisvc-controller-manager -n redhat-ods-applications -o name 2>/dev/null | grep -q . && echo redhat-ods-applications || echo opendatahub)
 RHCL ?= false
+MAAS ?= false
+MAAS_GATEWAY_NAME ?= maas-default-gateway
+MAAS_GATEWAY_NS ?= istio-system
 
 check-kubeconfig:
 	@kubectl cluster-info >/dev/null 2>&1 || (echo "ERROR: Cannot connect to cluster. Check KUBECONFIG." && exit 1)
@@ -17,20 +21,31 @@ help:
 	@echo "  make deploy              - Deploy cert-manager + istio + lws"
 	@echo "  make deploy-all          - Deploy all (cert-manager + istio + lws + kserve)"
 	@echo "  make deploy-all RHCL=true - Deploy all including RHCL"
+	@echo "  make deploy-all RHCL=true MAAS=true - Deploy all including RHCL + MaaS"
 	@echo "  make deploy-rhcl         - Deploy RHCL standalone (API gateway, auth, rate limiting)"
+	@echo "  make deploy-maas         - Deploy MaaS (API gateway, auth, rate limiting, subscriptions)"
+	@echo "  make setup-maas-tls      - Setup TLS cert chain for MaaS (Authorino CA trust)"
 	@echo "  make deploy-kserve       - Deploy KServe"
 	@echo ""
 	@echo "Undeploy:"
 	@echo "  make undeploy            - Remove all infrastructure"
 	@echo "  make undeploy-rhcl       - Remove RHCL"
+	@echo "  make undeploy-maas       - Remove MaaS"
 	@echo "  make undeploy-kserve     - Remove KServe"
 	@echo ""
 	@echo "Mock model (no GPU):"
 	@echo "  make deploy-mock-model   - Deploy mock LLMInferenceService"
 	@echo "  make clean-mock-model    - Clean up mock deployment"
 	@echo ""
+	@echo "Demo (full end-to-end):"
+	@echo "  make demo-setup          - Deploy mock model + MaaS resources"
+	@echo "  make demo-run            - Run interactive demo (auth, rate limiting, inference)"
+	@echo "  make demo-cleanup        - Remove demo resources (keeps stack)"
+	@echo "  make demo-all            - Setup + run in one shot"
+	@echo ""
 	@echo "Other:"
 	@echo "  make status              - Show deployment status"
+	@echo "  make lint                - Run local lints (helm lint, yamllint, shellcheck)"
 	@echo "  make test                - Run ODH conformance tests"
 	@echo "  make sync                - Fetch latest from git repos"
 	@echo "  make clear-cache         - Clear helmfile git cache"
@@ -52,11 +67,30 @@ deploy: check-kubeconfig clear-cache
 	@$(MAKE) status
 
 RHCL_TARGET := $(if $(filter true,$(RHCL)),deploy-rhcl,)
+MAAS_TARGET := $(if $(filter true,$(MAAS)),deploy-maas,)
+
+# MaaS requires RHCL — fail early if MAAS=true without RHCL=true
+$(if $(and $(filter true,$(MAAS)),$(filter-out true,$(RHCL))),$(error MAAS=true requires RHCL=true. Run: make deploy-all RHCL=true MAAS=true))
 
-deploy-all: check-kubeconfig deploy-cert-manager deploy-istio deploy-lws $(RHCL_TARGET) deploy-kserve
+deploy-all: check-kubeconfig deploy-cert-manager deploy-istio deploy-lws $(RHCL_TARGET) deploy-kserve $(MAAS_TARGET)
 	@$(MAKE) status
 
 deploy-cert-manager: check-kubeconfig clear-cache
+	@# Detect orphaned cert-manager pods not managed by our Helm release
+	@if kubectl get pods -n cert-manager --no-headers 2>/dev/null | grep -q .; then \
+		if ! helm list -n cert-manager-operator 2>/dev/null | grep -q cert-manager; then \
+			echo "WARNING: cert-manager pods exist in cert-manager namespace but no Helm release found in cert-manager-operator namespace."; \
+			echo "  To force cleanup, re-run with: CERT_MANAGER_FORCE_CLEANUP=true"; \
+			if [ "$${CERT_MANAGER_FORCE_CLEANUP:-false}" = "true" ]; then \
+				echo "  Cleaning orphaned resources..."; \
+				kubectl delete deployment --all -n cert-manager --ignore-not-found 2>/dev/null || true; \
+				kubectl delete sa --all -n cert-manager --ignore-not-found 2>/dev/null || true; \
+				echo "  Done. Proceeding with fresh deploy."; \
+			else \
+				echo "  Skipping cleanup (CERT_MANAGER_FORCE_CLEANUP=false)."; \
+			fi; \
+		fi; \
+	fi
 	helmfile apply --selector name=cert-manager-operator
 
 deploy-istio: check-kubeconfig clear-cache
@@ -80,9 +114,35 @@ undeploy-rhcl: check-kubeconfig
 	-helmfile destroy --selector name=rhcl --state-values-set rhclOperator.enabled=true
 	@echo "=== RHCL removed ==="
 
+deploy-maas: check-kubeconfig clear-cache
+	@echo "=== Deploying MaaS (Models as a Service) ==="
+	@echo "Prerequisites: KServe, RHCL, Istio, and cert-manager must be deployed first"
+	@kubectl get crd llminferenceservices.serving.kserve.io >/dev/null 2>&1 || \
+		(echo "ERROR: KServe not found. Run 'make deploy-kserve' first." && exit 1)
+	@kubectl get crd authpolicies.kuadrant.io >/dev/null 2>&1 || \
+		(echo "ERROR: Kuadrant/RHCL not found. Run 'make deploy-rhcl' first." && exit 1)
+	@kubectl get crd gateways.gateway.networking.k8s.io >/dev/null 2>&1 || \
+		(echo "ERROR: Gateway API CRDs not found. Run 'make deploy-istio' first." && exit 1)
+	@kubectl get kuadrant -n kuadrant-system -o name 2>/dev/null | grep -q . || \
+		(echo "ERROR: No Kuadrant instance found in kuadrant-system. Run 'make deploy-rhcl' first." && exit 1)
+	helmfile apply --selector name=maas --state-values-set maas.enabled=true
+	@echo "=== Running MaaS TLS setup (Authorino CA trust) ==="
+	@./scripts/setup-maas-tls.sh
+	@echo "=== MaaS deployed ==="
+
+setup-maas-tls: check-kubeconfig
+	@echo "=== Setting up MaaS TLS (cert chain + Authorino CA trust) ==="
+	@./scripts/setup-maas-tls.sh
+
+undeploy-maas: check-kubeconfig
+	@echo "=== Removing MaaS ==="
+	-helmfile destroy --selector name=maas --state-values-set maas.enabled=true
+	-kubectl delete crd maassubscriptions.maas.opendatahub.io maasmodelrefs.maas.opendatahub.io maasauthpolicies.maas.opendatahub.io externalmodels.maas.opendatahub.io --ignore-not-found 2>/dev/null || true
+	@echo "=== MaaS removed ==="
+
 deploy-opendatahub-prerequisites: check-kubeconfig
 	@echo "=== Deploying OpenDataHub prerequisites ==="
-	kubectl create namespace $(KSERVE_NAMESPACE) --dry-run=client -o yaml | kubectl apply -f -
+	kubectl create namespace "$(KSERVE_NAMESPACE)" --dry-run=client -o yaml | kubectl apply -f -
 	-kubectl get secret redhat-pull-secret -n istio-system -o yaml 2>/dev/null | \
 		sed 's/namespace: istio-system/namespace: $(KSERVE_NAMESPACE)/' | \
 		kubectl apply -f - 2>/dev/null || true
@@ -112,25 +172,28 @@ deploy-cert-manager-pki: check-kubeconfig deploy-opendatahub-prerequisites
 
 deploy-kserve: check-kubeconfig deploy-cert-manager-pki
 	@echo "Applying KServe via Helm..."
-	helmfile sync --wait --selector name=kserve-rhaii-xks --skip-crds
+	helmfile sync --wait --selector name=kserve-rhaii-xks
 	@echo "=== KServe deployed ==="
 
-# Undeploy
-undeploy: check-kubeconfig undeploy-kserve
+# Undeploy (reverse dependency order: MaaS → KServe → RHCL → base infra)
+undeploy: check-kubeconfig
+	-@$(MAKE) undeploy-maas 2>/dev/null || true
+	-@$(MAKE) undeploy-kserve 2>/dev/null || true
+	-@$(MAKE) undeploy-rhcl 2>/dev/null || true
 	@./scripts/cleanup.sh -y
 
 undeploy-kserve: check-kubeconfig
 	-@kubectl delete llminferenceservice --all -A --ignore-not-found 2>/dev/null || true
 	-@kubectl delete inferencepool --all -A --ignore-not-found 2>/dev/null || true
-	-@helm uninstall kserve-rhaii-xks --namespace $(KSERVE_NAMESPACE) 2>/dev/null || true
+	-@helm uninstall kserve-rhaii-xks --namespace "$(KSERVE_NAMESPACE)" 2>/dev/null || true
 	-@kubectl delete validatingwebhookconfiguration llminferenceservice.serving.kserve.io llminferenceserviceconfig.serving.kserve.io --ignore-not-found 2>/dev/null || true
 	-@# Removes KServe CRDs and Inference Extension CRDs (Helm does not remove CRDs on uninstall)
 	-@kubectl get crd -o name | grep -E "serving.kserve.io|inference.networking" | xargs -r kubectl delete --ignore-not-found 2>/dev/null || true
 	-@# Removes cluster-scoped RBAC resources
 	-@kubectl get clusterrole,clusterrolebinding -o name | grep -i kserve | xargs -r kubectl delete --ignore-not-found 2>/dev/null || true
 	-@kubectl delete clusterissuer opendatahub-ca-issuer opendatahub-selfsigned-issuer --ignore-not-found 2>/dev/null || true
 	-@kubectl delete certificate opendatahub-ca -n cert-manager --ignore-not-found 2>/dev/null || true
-	-@kubectl delete namespace $(KSERVE_NAMESPACE) --ignore-not-found --wait=false 2>/dev/null || true
+	-@kubectl delete namespace "$(KSERVE_NAMESPACE)" --ignore-not-found --wait=false 2>/dev/null || true
 	@echo "=== KServe removed ==="
 
 # Status
@@ -157,6 +220,15 @@ status: check-kubeconfig
 		kubectl get kuadrant,authorino,limitador -n kuadrant-system 2>/dev/null || echo "  No instances"; \
 	fi
 	@echo ""
+	@echo "maas (optional):"
+	@kubectl get pods -n "$(KSERVE_NAMESPACE)" -l control-plane=maas-controller 2>/dev/null || echo "  Not deployed (optional component)"
+	@kubectl get pods -n "$(KSERVE_NAMESPACE)" -l app.kubernetes.io/name=maas-api 2>/dev/null || echo "  "
+	@if kubectl get crd maassubscriptions.maas.opendatahub.io >/dev/null 2>&1; then \
+		echo ""; \
+		echo "maas gateway:"; \
+		kubectl get gateway $(MAAS_GATEWAY_NAME) -n $(MAAS_GATEWAY_NS) 2>/dev/null || echo "  No gateway"; \
+	fi
+	@echo ""
 	@echo "kserve:"
 	@kubectl get pods -n $(KSERVE_NAMESPACE) -l control-plane=kserve-controller-manager 2>/dev/null || echo "  Not deployed"
 	@echo ""
@@ -225,3 +297,43 @@ clean-mock-model: check-kubeconfig
 	-kubectl delete clusterstoragecontainer local-noop --ignore-not-found 2>/dev/null || true
 	-kubectl delete namespace "$(MOCK_NAMESPACE)" --ignore-not-found
 	@echo "=== Done ==="
+
+# Demo — end-to-end demo (requires full stack: make deploy-all RHCL=true MAAS=true)
+demo-setup: check-kubeconfig
+	@./demo/setup.sh
+
+demo-run: check-kubeconfig
+	@./demo/run.sh
+
+demo-cleanup: check-kubeconfig
+	@./demo/cleanup.sh
+
+demo-all: demo-setup demo-run
+
+# Lint — run locally before pushing to catch issues CodeRabbit would flag
+lint:
+	@echo "=== Running local lints ==="
+	@FAIL=0; \
+	echo "--- helm lint ---"; \
+	for chart in charts/*/; do \
+		if [ -f "$$chart/Chart.yaml" ]; then \
+			helm lint "$$chart" 2>&1 || FAIL=1; \
+		fi; \
+	done; \
+	echo ""; \
+	echo "--- yamllint ---"; \
+	if command -v yamllint >/dev/null 2>&1; then \
+		yamllint -d '{extends: relaxed, rules: {line-length: {max: 200}}}' values.yaml charts/*/values.yaml 2>&1 || FAIL=1; \
+	else \
+		echo "  yamllint not found (brew install yamllint)"; \
+	fi; \
+	echo ""; \
+	echo "--- shellcheck ---"; \
+	if command -v shellcheck >/dev/null 2>&1; then \
+		shellcheck -x scripts/*.sh test/*.sh 2>&1 || FAIL=1; \
+	else \
+		echo "  shellcheck not found (brew install shellcheck)"; \
+	fi; \
+	echo ""; \
+	echo "=== Lint complete ==="; \
+	exit $$FAIL
@@ -0,0 +1,16 @@
+apiVersion: v2
+name: maas
+description: Models as a Service (MaaS) for xKS — API gateway authentication, authorization, rate limiting, and model subscription management
+version: 0.1.0
+appVersion: "0.0.2"
+type: application
+keywords:
+  - maas
+  - models-as-a-service
+  - kuadrant
+  - kserve
+  - rate-limiting
+  - authentication
+home: https://github.com/opendatahub-io/models-as-a-service
+sources:
+  - https://github.com/opendatahub-io/models-as-a-service
@@ -0,0 +1,164 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: externalmodels.maas.opendatahub.io
+spec:
+  group: maas.opendatahub.io
+  names:
+    kind: ExternalModel
+    listKind: ExternalModelList
+    plural: externalmodels
+    singular: externalmodel
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.provider
+      name: Provider
+      type: string
+    - jsonPath: .spec.endpoint
+      name: Endpoint
+      type: string
+    - jsonPath: .status.phase
+      name: Phase
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ExternalModel is the Schema for the externalmodels API.
+          It defines an external LLM provider (e.g., OpenAI, Anthropic) that can be
+          referenced by MaaSModelRef resources.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ExternalModelSpec defines the desired state of ExternalModel
+            properties:
+              credentialRef:
+                description: |-
+                  CredentialRef references a Kubernetes Secret containing the provider API key.
+                  The Secret must contain a data key "api-key" with the credential value.
+                properties:
+                  name:
+                    description: Name is the name of the Secret
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                required:
+                - name
+                type: object
+              endpoint:
+                description: |-
+                  Endpoint is the FQDN of the external provider (no scheme or path).
+                  e.g. "api.openai.com".
+                  This field is metadata for downstream consumers (e.g. BBR provider-resolver plugin)
+                  and is not used by the controller for endpoint derivation.
+                maxLength: 253
+                pattern: ^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)*$
+                type: string
+              provider:
+                description: |-
+                  Provider identifies the API format and auth type for the external model.
+                  e.g. "openai", "anthropic".
+                maxLength: 63
+                type: string
+            required:
+            - credentialRef
+            - endpoint
+            - provider
+            type: object
+          status:
+            description: ExternalModelStatus defines the observed state of ExternalModel
+            properties:
+              conditions:
+                description: Conditions represent the latest available observations
+                  of the external model's state
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              phase:
+                description: Phase represents the current phase of the external model
+                enum:
+                - Pending
+                - Ready
+                - Failed
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}