fix: add a workaround for 3.4ea2 to set runasuser in deployment (opendatahub-io#57)

Signed-off-by: Wen Zhou <wenzhou@redhat.com>

Author: zdtsw

charts/kserve/files/resources.yaml

@@ -742,6 +742,7 @@ spec:
         runAsNonRoot: true
         seccompProfile:
           type: RuntimeDefault
+        runAsUser: 1000
       serviceAccountName: llmisvc-controller-manager
       terminationGracePeriodSeconds: 30
       volumes:

charts/kserve/generate-chart.sh

@@ -131,6 +131,17 @@ yq eval 'select(.kind != "ValidatingWebhookConfiguration" and .kind != "Mutating
 
 rm -f "${TEMP_BUILD}" "${FILES_DIR}/resources-all.yaml"
 
+# Patch: add runAsUser to llmisvc-controller-manager deployment
+# UBI-based images don't set USER in Dockerfile, so non-OpenShift clusters
+# (which lack SCC to inject a UID) will fail the runAsNonRoot check without this.
+# TODO(RHOAIENG-56701): remove this patch once the image build sets USER 1000
+# https://redhat.atlassian.net/browse/RHOAIENG-56701
+echo "Patching llmisvc-controller-manager securityContext (runAsUser: 1000)..."
+yq eval '
+  (select(.kind == "Deployment" and .metadata.name == "llmisvc-controller-manager")
+    .spec.template.spec.securityContext.runAsUser) = 1000
+' -i "${FILES_DIR}/resources.yaml"
+
 if [[ "${SKIP_IMAGE_REPLACEMENT}" == "true" ]]; then
     echo ""
     echo "Skipping image replacement (--skip-image-replacement flag set)"

helmfile.yaml.gotmpl

@@ -59,7 +59,7 @@ helmfiles:
 ---
 
 {{ $kserveChart := "oci://ghcr.io/opendatahub-io/kserve-rhaii-xks" }}
-{{ $kserveVersion := .Values.kserveChartVersion | default "3.4.0-ea.2" }}
+{{ $kserveVersion := .Values.kserveChartVersion | default "3.4.0-ea.2+cf8a9b5" }}
 
 releases:
   - name: kserve-rhaii-xks

values.yaml

@@ -40,4 +40,4 @@ rhclOperator:
 # =============================================================================
 
 # KServe OCI chart version (dev variant until official builds are on registry.redhat.io)
-kserveChartVersion: "3.4.0-ea.2"
+kserveChartVersion: "3.4.0-ea.2+cf8a9b5"