2.8 & 2.8.1 fixes

backend/src/routes/api/proxy/index.ts

@@ -61,7 +61,6 @@ export default async (fastify: KubeFastifyInstance): Promise<void> => {
         url,
         overrideContentType: contentType,
         requestData,
-        rejectUnauthorized: false,
       })
         .then(([rawData]) => rawData)
         .catch((error) => {

backend/src/routes/wss/k8s/index.ts

@@ -3,6 +3,7 @@ import { KubeFastifyInstance, OauthFastifyRequest } from '../../../types';
 import { getDirectCallOptions } from '../../../utils/directCallUtils';
 import { getAccessToken } from '../../../utils/directCallUtils';
 import { ClientRequest, IncomingMessage } from 'http';
+import https from 'https';
 
 const base64 = (data: string): string =>
   // This usage of toString is fine for decoding
@@ -67,7 +68,7 @@ export default async (fastify: KubeFastifyInstance): Promise<void> => {
               req.headers.origin ||
               `http://${typeof serverAddress === 'string' ? serverAddress : serverAddress.address}`,
           },
-          ca: requestOptions.ca as WebSocket.CertMeta,
+          ca: https.globalAgent.options.ca as WebSocket.CertMeta,
         });
 
         const close = (code: number, reason: string) => {

backend/src/server.ts

@@ -3,6 +3,8 @@ import pino from 'pino';
 import { APP_ENV, PORT, IP, LOG_LEVEL } from './utils/constants';
 import { initializeApp } from './app';
 import { AddressInfo } from 'net';
+import https from 'https';
+import fs from 'fs';
 
 const transport =
   APP_ENV === 'development'
@@ -36,7 +38,33 @@ app.listen({ port: PORT, host: IP }, (err) => {
     app.log.error(err);
     process.exit(1); // eslint-disable-line
   }
+  // Load CA bundle used in our API calls
+  // tls-ca-bundle.pem is the default CA bundle used by the system in CentOS/RHEL
+  // ca.crt is the default CA bundle provided by the service account for kubernetes
+  // service-ca.crt is the CA bundle provided by the service account for kubernetes used by prometheus
+  // odh-ca-bundle.crt and odh-trusted-ca-bundle.crt are the CA bundles provided by the ODH platform
+  const caPaths = [
+    '/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem',
+    '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt',
+    '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt',
+    '/etc/pki/tls/certs/odh-ca-bundle.crt',
+    '/etc/pki/tls/certs/odh-trusted-ca-bundle.crt',
+  ]
+    .map(getCABundle)
+    .filter((ca) => ca !== undefined);
+
+  https.globalAgent.options.ca = caPaths;
+
   const address: AddressInfo = app.server.address() as AddressInfo;
   console.log('Fastify Connected...');
   console.log(`Server listening on >>>  ${address.address}:${address.port}`);
 });
+
+const getCABundle = (path: string) => {
+  try {
+    return fs.readFileSync(path);
+  } catch (e) {
+    // ignore
+  }
+  return undefined;
+};

backend/src/utils/directCallUtils.ts

@@ -12,12 +12,12 @@ export const getDirectCallOptions = async (
   fastify: KubeFastifyInstance,
   request: OauthFastifyRequest,
   url: string,
-): Promise<RequestOptions> => {
+): Promise<Pick<RequestOptions, 'headers'>> => {
   // Use our kube setup to boostrap our request
   const kc = fastify.kube.config;
   const kubeOptions: Parameters<typeof kc.applyToRequest>[0] = { url };
   await kc.applyToRequest(kubeOptions);
-  const { headers: kubeHeaders, ca } = kubeOptions;
+  const { headers: kubeHeaders } = kubeOptions;
 
   // Adjust the header auth token
   let headers;
@@ -49,7 +49,6 @@ export const getDirectCallOptions = async (
   }
 
   return {
-    ca,
     headers,
   };
 };

backend/src/utils/httpUtils.ts

@@ -29,8 +29,6 @@ type ProxyData = {
   requestData?: string | Buffer;
   /** Option to substitute your own content type for the API call -- defaults to JSON */
   overrideContentType?: string;
-  /** Allow for unauthorized SSL connections to succeed */
-  rejectUnauthorized?: boolean;
 };
 
 /** Ideally these would all be required, but https by node seems to think there are cases when it does not know the code or message */
@@ -46,7 +44,7 @@ export const proxyCall = (
   data: ProxyData,
 ): Promise<[string, ProxyCallStatus]> => {
   return new Promise((resolve, reject) => {
-    const { method, requestData, overrideContentType, url, rejectUnauthorized } = data;
+    const { method, requestData, overrideContentType, url } = data;
 
     getDirectCallOptions(fastify, request, url)
       .then((requestOptions) => {
@@ -67,10 +65,6 @@ export const proxyCall = (
           };
         }
 
-        if (rejectUnauthorized !== undefined) {
-          requestOptions.rejectUnauthorized = rejectUnauthorized;
-        }
-
         fastify.log.info(`Making ${method} proxy request to ${url}`);
 
         const web = (url: string) => {

backend/src/utils/prometheusUtils.ts

@@ -27,7 +27,6 @@ const callPrometheus = async <T>(
   return proxyCall(fastify, request, {
     method: 'GET',
     url,
-    rejectUnauthorized: false,
   })
     .then(([rawData, status]) => {
       if (rejectOnHttpErrorCode && status.code >= 400) {

frontend/src/app/AppLauncher.tsx

@@ -127,31 +127,35 @@ const AppLauncher: React.FC = () => {
     return null;
   }
 
+  const renderApplicationLauncherGroup = (section: Section, sectionIndex: number) => {
+    const appItems = section.actions.map((action) => (
+      <ApplicationLauncherItem
+        key={action.label}
+        href={action.href}
+        isExternal
+        icon={action.image}
+        rel="noopener noreferrer"
+        target="_blank"
+      >
+        {action.label}
+      </ApplicationLauncherItem>
+    ));
+    if (sectionIndex < applicationSections.length - 1) {
+      appItems.push(<ApplicationLauncherSeparator key={`separator-${sectionIndex}`} />);
+    }
+    return (
+      <ApplicationLauncherGroup key={section.label} label={section.label}>
+        {appItems}
+      </ApplicationLauncherGroup>
+    );
+  };
   return (
     <ApplicationLauncher
       aria-label="Application launcher"
       onSelect={onSelect}
       onToggle={onToggle}
       isOpen={isOpen}
-      items={applicationSections.map((section, sectionIndex) => (
-        <ApplicationLauncherGroup key={section.label} label={section.label}>
-          {section.actions.map((action) => (
-            <ApplicationLauncherItem
-              key={action.label}
-              href={action.href}
-              isExternal
-              icon={action.image}
-              rel="noopener noreferrer"
-              target="_blank"
-            >
-              {action.label}
-            </ApplicationLauncherItem>
-          ))}
-          {sectionIndex < applicationSections.length - 1 && (
-            <ApplicationLauncherSeparator key={`separator-${sectionIndex}`} />
-          )}
-        </ApplicationLauncherGroup>
-      ))}
+      items={applicationSections.map(renderApplicationLauncherGroup)}
       position="right"
       isGrouped
     />

manifests/base/deployment.yaml

@@ -57,8 +57,18 @@ spec:
           successThreshold: 1
           failureThreshold: 3
         volumeMounts:
-          - mountPath: /etc/pki/tls/certs
-            name: trusted-ca-bundle
+          - mountPath: /etc/pki/tls/certs/odh-trusted-ca-bundle.crt
+            name: odh-trusted-ca-cert
+            subPath: odh-trusted-ca-bundle.crt
+          - mountPath: /etc/ssl/certs/odh-trusted-ca-bundle.crt
+            name: odh-trusted-ca-cert
+            subPath: odh-trusted-ca-bundle.crt
+          - mountPath: /etc/pki/tls/certs/odh-ca-bundle.crt
+            name: odh-ca-cert
+            subPath: odh-ca-bundle.crt
+          - mountPath: /etc/ssl/certs/odh-ca-bundle.crt
+            name: odh-ca-cert
+            subPath: odh-ca-bundle.crt
       - name: oauth-proxy
         env:
           - name: NAMESPACE
@@ -118,6 +128,18 @@ spec:
             name: oauth-config
           - mountPath: /etc/oauth/client
             name: oauth-client
+          - mountPath: /etc/pki/tls/certs/odh-trusted-ca-bundle.crt
+            name: odh-trusted-ca-cert
+            subPath: odh-trusted-ca-bundle.crt
+          - mountPath: /etc/ssl/certs/odh-trusted-ca-bundle.crt
+            name: odh-trusted-ca-cert
+            subPath: odh-trusted-ca-bundle.crt
+          - mountPath: /etc/pki/tls/certs/odh-ca-bundle.crt
+            name: odh-ca-cert
+            subPath: odh-ca-bundle.crt
+          - mountPath: /etc/ssl/certs/odh-ca-bundle.crt
+            name: odh-ca-cert
+            subPath: odh-ca-bundle.crt
       volumes:
       - name: proxy-tls
         secret:
@@ -128,7 +150,17 @@ spec:
       - name: oauth-client
         secret:
           secretName: dashboard-oauth-client-generated
-      - name: trusted-ca-bundle
+      - name: odh-trusted-ca-cert
         configMap:
           name: odh-trusted-ca-bundle
+          items:
+          - key: ca-bundle.crt
+            path: odh-trusted-ca-bundle.crt
+          optional: true
+      - name: odh-ca-cert
+        configMap:
+          name: odh-trusted-ca-bundle
+          items:
+          - key: odh-ca-bundle.crt
+            path: odh-ca-bundle.crt
           optional: true

manifests/overlays/modelserving/kustomization.yaml

@@ -14,7 +14,7 @@ images:
     digest: sha256:444bca43c99bfc4b961c926f5f10c556488613912f5e333011e98b3407d76d00
   - name: quay.io/opendatahub/text-generation-inference
     newName: quay.io/modh/text-generation-inference
-    digest: sha256:e4d24fd401fd4eb89b49b4ab07e0c08389384d4a672b240e98a03ad7f9ef1c85
+    digest: sha256:b87d83c65c9c5897d8a6881a160f5c65b9d7ba1d8a27bdc1ee229e60af654a9c
   - name: quay.io/opendatahub/openvino_model_server
     newName: quay.io/modh/openvino_model_server
     digest: sha256:5d04d405526ea4ce5b807d0cd199ccf7f71bab1228907c091e975efa770a4908

manifests/overlays/odhdashboardconfig/kustomization.yaml

@@ -1,6 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../base
-  - odh-dashboard-config.yaml
-  - odh-enabled-applications-config.configmap.yaml
+  - odhdashboardconfig.yaml

manifests/overlays/odhdashboardconfig/odhdashboardconfig.yaml

@@ -0,0 +1,93 @@
+# ODHDashboardConfig to enable the notebook-controller feature and add notebook sizes
+apiVersion: opendatahub.io/v1alpha
+kind: OdhDashboardConfig
+metadata:
+  creationTimestamp: null
+  name: odh-dashboard-config
+spec:
+  dashboardConfig:
+    disableBYONImageStream: false
+    disableClusterManager: false
+    disableISVBadges: false
+    disableInfo: false
+    disableSupport: false
+    disableTracking: false
+    enablement: true
+    disableProjects: false
+    disablePipelines: false
+    disableModelServing: false
+    disableProjectSharing: false
+    disableCustomServingRuntimes: false
+    disableBiasMetrics: false
+    disablePerformanceMetrics: false
+    disableAcceleratorProfiles: false
+    disableKServe: false
+    disableModelMesh: false
+    disableDistributedWorkloads: true
+  groupsConfig:
+    adminGroups: "<admin_groups>"
+    allowedGroups: "system:authenticated"
+  notebookController:
+    enabled: true
+    pvcSize: "20Gi"
+    notebookNamespace: rhods-notebooks
+  notebookSizes:
+    - name: Small
+      resources:
+        requests:
+          memory: 8Gi
+          cpu: "1"
+        limits:
+          memory: 8Gi
+          cpu: "2"
+    - name: Medium
+      resources:
+        requests:
+          memory: 24Gi
+          cpu: "3"
+        limits:
+          memory: 24Gi
+          cpu: "6"
+    - name: Large
+      resources:
+        requests:
+          memory: 56Gi
+          cpu: "7"
+        limits:
+          memory: 56Gi
+          cpu: "14"
+    - name: X Large
+      resources:
+        requests:
+          memory: 120Gi
+          cpu: "15"
+        limits:
+          memory: 120Gi
+          cpu: "30"
+  modelServerSizes:
+  - name: Small
+    resources:
+      limits:
+        cpu: "2"
+        memory: 8Gi
+      requests:
+        cpu: "1"
+        memory: 4Gi
+  - name: Medium
+    resources:
+      limits:
+        cpu: "8"
+        memory: 10Gi
+      requests:
+        cpu: "4"
+        memory: 8Gi
+  - name: Large
+    resources:
+      limits:
+        cpu: "10"
+        memory: 20Gi
+      requests:
+        cpu: "6"
+        memory: 16Gi
+  templateOrder: []
+  templateDisablement: []