Merge pull request #106 from Jooho/20231011_doc_update

update scripts/doc for mtls=true, refactorying sript structure

demo/kserve/custom-manifests/serverless/gateways.yaml

@@ -12,7 +12,7 @@ spec:
       protocol: TCP
       targetPort: 8081
   selector:
-    istio: ingressgateway
+    knative: ingressgateway
   type: ClusterIP
 ---
 apiVersion: networking.istio.io/v1beta1
@@ -22,7 +22,7 @@ metadata:
   namespace: knative-serving
 spec:
   selector:
-    istio: ingressgateway
+    knative: ingressgateway
   servers:
     - hosts:
         - '*'
@@ -41,7 +41,7 @@ metadata:
   namespace: knative-serving
 spec:
   selector:
-    istio: ingressgateway
+    knative: ingressgateway
   servers:
     - hosts:
         - '*'

demo/kserve/custom-manifests/service-mesh/smmr-odh.yaml → demo/kserve/custom-manifests/service-mesh/default-smmr.yaml

@@ -6,4 +6,3 @@ metadata:
 spec:
   members:
     - knative-serving
-    - opendatahub

demo/kserve/custom-manifests/service-mesh/operators.yaml

@@ -10,27 +10,3 @@ spec:
   installPlanApproval: Automatic
   source: redhat-operators
   sourceNamespace: openshift-marketplace
----
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: kiali-ossm
-  namespace: openshift-operators
-spec:
-  channel: stable
-  name: kiali-ossm
-  installPlanApproval: Automatic
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace
----
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: jaeger-product
-  namespace: openshift-operators
-spec:
-  channel: stable
-  installPlanApproval: Automatic
-  name: jaeger-product
-  source: redhat-operators
-  sourceNamespace: openshift-marketplace

demo/kserve/custom-manifests/service-mesh/smcp.yaml

@@ -9,15 +9,33 @@ spec:
       enabled: false
     kiali:
       name: kiali
-      enabled: true
+      enabled: false
     prometheus:
       enabled: false
     jaeger: 
       name: jaeger
+      enabled: false
   security:
     dataPlane:
-      mtls: false # otherwise inference-graph will not work. We use PeerAuthentication resources to force mTLS
+      mtls: true # otherwise inference-graph will not work. We use PeerAuthentication resources to force mTLS
     identity:
       type: ThirdParty        
+  techPreview:
+    meshConfig:
+      defaultConfig:
+        terminationDrainDuration: 35s
+  gateways:
+    ingress:
+      service:
+        metadata:
+          labels:
+            knative: ingressgateway
+  proxy:
+    networking:
+      trafficControl:
+        inbound:
+          excludedPorts:
+            - 8444 # metrics
+            - 8022 # serving: wait-for-drain k8s pre-stop hook              
   profiles:
     - default

demo/kserve/deploy-remove.md

@@ -41,11 +41,10 @@ Note: The **flan-t5-small** LLM model has been containerized into an S3 MinIO bu
 
 2. Deploy the LLM model with Caikit+TGIS Serving runtime
 
-   a. Create a new namespace and patch ServiceMesh related object.
+   a. Create a new namespace.
    ~~~
    export TEST_NS=kserve-demo
    oc new-project ${TEST_NS}
-   oc patch smmr/default -n istio-system --type='json' -p="[{'op': 'add', 'path': '/spec/members/-', 'value': \"$TEST_NS\"}]"
    ~~~
 
    b. Create a caikit ServingRuntime. By default, it requests 4CPU and 8Gi of memory. You can adjust these values as needed.
@@ -149,4 +148,4 @@ Note: The **flan-t5-small** LLM model has been containerized into an S3 MinIO bu
 
    ~~~
    oc delete ns ${TEST_NS} ${MINIO_NS}
-   ~~~
+   ~~~

demo/kserve/install-manual.md

@@ -31,6 +31,7 @@ Note: You have the alternative option of installing the KServe/Caikit/TGIS stack
    cd caikit-tgis-serving/demo/kserve
    
    source ./scripts/env.sh
+   source ./scripts/utils.sh
    export TARGET_OPERATOR_TYPE=$(getOpType $TARGET_OPERATOR)
    export TARGET_OPERATOR_NS=$(getOpNS)
    export KSERVE_OPERATOR_NS=$(getKserveNS)
@@ -40,39 +41,34 @@ Note: You have the alternative option of installing the KServe/Caikit/TGIS stack
 
    ~~~
    oc apply -f custom-manifests/service-mesh/operators.yaml
-   sleep 30
+   sleep 10
    oc wait --for=condition=ready pod -l name=istio-operator -n openshift-operators --timeout=300s
-   oc wait --for=condition=ready pod -l name=jaeger-operator -n openshift-operators --timeout=300s
-   oc wait --for=condition=ready pod -l name=kiali-operator -n openshift-operators --timeout=300s
    ~~~
 
 4. Create an Istio instance.
 
    ~~~
    oc create ns istio-system
    oc apply -f custom-manifests/service-mesh/smcp.yaml
-   sleep 30
+   sleep 10
+   wait_for_pods_ready "app=istiod" "istio-system"
+   wait_for_pods_ready "app=istio-ingressgateway" "istio-system"
+   wait_for_pods_ready "app=istio-egressgateway" "istio-system"
    oc wait --for=condition=ready pod -l app=istiod -n istio-system --timeout=300s
    oc wait --for=condition=ready pod -l app=istio-ingressgateway -n istio-system --timeout=300s
    oc wait --for=condition=ready pod -l app=istio-egressgateway -n istio-system --timeout=300s
-   oc wait --for=condition=ready pod -l app=jaeger -n istio-system --timeout=300s
    ~~~
 
 5. Install Knative Serving.
 
    ~~~
    oc create ns ${KSERVE_OPERATOR_NS}
    oc create ns knative-serving
-   oc -n istio-system apply -f custom-manifests/service-mesh/smmr-${TARGET_OPERATOR_TYPE}.yaml 
-   oc apply -f custom-manifests/service-mesh/peer-authentication.yaml
-   oc apply -f custom-manifests/service-mesh/peer-authentication-${TARGET_OPERATOR_TYPE}.yaml 
-   ~~~
-
-   Note: These commands use PeerAuthentications to enable mutual TLS (mTLS) according to [Openshift Serverless Documentation](https://access.redhat.com/documentation/en-us/red_hat_openshift_serverless/1.28/html/serving/configuring-custom-domains-for-knative-services#serverless-domain-mapping-custom-tls-cert_domain-mapping-custom-tls-cert).
-
-   ~~~
+   oc -n istio-system apply -f custom-manifests/service-mesh/default-smmr.yaml 
+   
    oc apply -f custom-manifests/serverless/operators.yaml
-   sleep 30
+   sleep 10
+   wait_for_csv_installed serverless-operator openshift-serverless
    oc wait --for=condition=ready pod -l name=knative-openshift -n openshift-serverless --timeout=300s
    oc wait --for=condition=ready pod -l name=knative-openshift-ingress -n openshift-serverless --timeout=300s
    oc wait --for=condition=ready pod -l name=knative-operator -n openshift-serverless --timeout=300s
@@ -83,16 +79,16 @@ Note: You have the alternative option of installing the KServe/Caikit/TGIS stack
    ~~~
    oc apply -f custom-manifests/serverless/knativeserving-istio.yaml
    sleep 15
-   oc wait --for=condition=ready pod -l app=controller -n knative-serving --timeout=300s
-   oc wait --for=condition=ready pod -l app=net-istio-controller -n knative-serving --timeout=300s
-   oc wait --for=condition=ready pod -l app=net-istio-webhook -n knative-serving --timeout=300s
-   oc wait --for=condition=ready pod -l app=autoscaler-hpa -n knative-serving --timeout=300s
-   oc wait --for=condition=ready pod -l app=domain-mapping -n knative-serving --timeout=300s
-   oc wait --for=condition=ready pod -l app=webhook -n knative-serving --timeout=300s
+   wait_for_pods_ready "app=controller" "knative-serving"
+   wait_for_pods_ready "app=net-istio-controller" "knative-serving"
+   wait_for_pods_ready "app=net-istio-webhook" "knative-serving"
+   wait_for_pods_ready "app=autoscaler-hpa" "knative-serving"
+   wait_for_pods_ready "app=domain-mapping" "knative-serving"
+   wait_for_pods_ready "app=webhook" "knative-serving"
    oc delete pod -n knative-serving -l app=activator --force --grace-period=0
    oc delete pod -n knative-serving -l app=autoscaler --force --grace-period=0
-   oc wait --for=condition=ready pod -l app=activator -n knative-serving --timeout=300s
-   oc wait --for=condition=ready pod -l app=autoscaler -n knative-serving --timeout=300s
+   wait_for_pods_ready "app=activator" "knative-serving"
+   wait_for_pods_ready "app=autoscaler" "knative-serving"
    ~~~
 
 7. Generate a wildcard certification for a gateway using OpenSSL.
@@ -107,12 +103,21 @@ Note: You have the alternative option of installing the KServe/Caikit/TGIS stack
    mkdir ${BASE_CERT_DIR}
 
    ./scripts/generate-wildcard-certs.sh ${BASE_CERT_DIR} ${DOMAIN_NAME} ${COMMON_NAME}
+   export TARGET_CUSTOM_CERT=${BASE_CERT_DIR}/wildcard.crt
+   export TARGET_CUSTOM_KEY=${BASE_CERT_DIR}/wildcard.key
+   ~~~
+
+   **(Note)**
+   If you want to use your own cert, you can set these 2 variables instead of following the step 7 above.
+   ~~~
+   export TARGET_CUSTOM_CERT=/path/to/custom.crt
+   export TARGET_CUSTOM_KEY=/path/to/custom.key
    ~~~
 
 8. Create the Knative gateway.
 
    ~~~
-   oc create secret tls wildcard-certs --cert=${BASE_CERT_DIR}/wildcard.crt --key=${BASE_CERT_DIR}/wildcard.key -n istio-system
+   oc create secret tls wildcard-certs --cert=${TARGET_CUSTOM_CERT} --key=${TARGET_CUSTOM_KEY} -n istio-system
    oc apply -f custom-manifests/serverless/gateways.yaml
    ~~~
 
@@ -123,26 +128,31 @@ Note: You have the alternative option of installing the KServe/Caikit/TGIS stack
    oc apply -f ./custom-manifests/service-mesh/istio-proxies-monitor.yaml 
    ~~~
 
-10. Apply the cluster role to allow Prometheus access.
+10.  Apply the cluster role to allow Prometheus access.
      ~~~
      oc apply -f ./custom-manifests/metrics/kserve-prometheus-k8s.yaml
      ~~~
 
-11. Deploy KServe with Open Data Hub Operator 2.0.
+11.  Deploy KServe with Open Data Hub Operator 2.0.
      ~~~
+     OPERATOR_LABEL="control-plane=controller-manager"
+     if [[ ${TARGET_OPERATOR_TYPE} == "rhods" ]];
+     then
+       OPERATOR_LABEL="name=rhods-operator"
+     fi
      oc create ns ${TARGET_OPERATOR_NS}
      oc create -f custom-manifests/opendatahub/${TARGET_OPERATOR}-operators-2.x.yaml
   
      sleep 10
-     oc wait --for=condition=ready pod -l name=rhods-operator -n ${TARGET_OPERATOR_NS} --timeout=300s 
+     wait_for_pods_ready "${OPERATOR_LABEL}" "${TARGET_OPERATOR_NS}"
    
      oc create -f custom-manifests/opendatahub/kserve-dsc.yaml
      ~~~
 
-12. (optional) Deploy KServe with OpenDataHub manifests for testing purposes by using KServe KFDef.
+12.  (optional) Deploy KServe with OpenDataHub manifests for testing purposes by using KServe KFDef.
       ~~~
-     git clone git@github.com:opendatahub-io/odh-manifests.git
+      git clone git@github.com:opendatahub-io/odh-manifests.git
       rm -rf  custom-manifests/opendatahub/.cache  custom-manifests/opendatahub/kustomize /tmp/odh-manifests.gzip
       tar czvf /tmp/odh-manifests.gzip odh-manifests
-     kfctl build -V -f custom-manifests/opendatahub/kfdef-kserve.yaml -d | oc create -n kserve -f -
+      kfctl build -V -f custom-manifests/opendatahub/kfdef-kserve.yaml -d | oc create -n kserve -f -
       ~~~