Skip to content

Commit

Permalink
add support for providing custom certs for OLS and Custom ca for UI
Browse files Browse the repository at this point in the history
  • Loading branch information
@raptorsun
Nimer Naamneh authored and raptorsun committed Sep 25, 2024
1 parent 78050f7 commit 97b1945
Show file tree
Hide file tree
Showing 8 changed files with 114 additions and 13 deletions.
4 changes: 4 additions & 0 deletions api/v1alpha1/olsconfig_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ type OLSSpec struct {
// User data collection switches
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="User Data Collection"
UserDataCollection UserDataCollectionSpec `json:"userDataCollection,omitempty"`

UseUserProvidedTLSCerts bool `json:"useUserProvidedTLSCerts,omitempty"`
// Additional CA certificates for TLS communication between OLS service and LLM Provider
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Additional CA Configmap",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:advanced"}
AdditionalCAConfigMapRef *corev1.LocalObjectReference `json:"additionalCAConfigMapRef,omitempty"`
Expand Down Expand Up @@ -124,6 +126,8 @@ type ConsoleContainerConfig struct {
Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Node Selector",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:nodeSelector"}
NodeSelector map[string]string `json:"nodeSelector,omitempty"`

CAcertificate string `json:"caCertificate,omitempty"`
}

// +kubebuilder:validation:Enum=redis
Expand Down
4 changes: 4 additions & 0 deletions config/crd/bases/ols.openshift.io_olsconfigs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,8 @@ spec:
console:
description: Console container settings.
properties:
caCertificate:
type: string
nodeSelector:
additionalProperties:
type: string
Expand Down Expand Up @@ -483,6 +485,8 @@ spec:
type: string
type: object
type: array
useUserProvidedTLSCerts:
type: boolean
userDataCollection:
description: User data collection switches
properties:
Expand Down
32 changes: 32 additions & 0 deletions hack/custom_certs/cr-with-custom-certs.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: ols.openshift.io/v1alpha1
kind: OLSConfig
metadata:
name: cluster
namespace: openshift-lightspeed
spec:
llm:
providers:
- credentialsSecretRef:
name: bam-api-keys
type: bam
models:
- name: ibm/granite-13b-chat-v2
name: bam
url: https://bam-api.res.ibm.com
ols:
conversationCache:
redis:
maxMemory: 2000mb
maxMemoryPolicy: allkeys-lru
type: redis
defaultModel: ibm/granite-13b-chat-v2
defaultProvider: bam
logLevel: INFO
useUserProvidedTLSCerts: true
deployment:
replicas: 1
console:
caCertificate: |
-----BEGIN CERTIFICATE-----
your-certificate content, syntax sensitive
-----END CERTIFICATE-----
46 changes: 46 additions & 0 deletions hack/custom_certs/generate-certs.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#!/bin/bash

# Define variables
CERT_DIR="./certs"
CA_KEY="$CERT_DIR/ca.key"
CA_CERT="$CERT_DIR/ca.crt"
PRIVATE_KEY="$CERT_DIR/tls.key"
CERTIFICATE="$CERT_DIR/tls.crt"
DAYS_VALID=365
SECRET_NAME="lightspeed-tls"
NAMESPACE="openshift-lightspeed"

# Create directory for certificates if it doesn't exist
mkdir -p "$CERT_DIR"

# Generate CA private key and self-signed CA certificate
openssl req -x509 -newkey rsa:4096 -sha256 -days "$DAYS_VALID" -nodes \
-keyout "$CA_KEY" -out "$CA_CERT" -subj "/CN=MyCA" \
-addext "subjectAltName=DNS:MyCA"

echo "CA certificate and private key have been generated in $CERT_DIR"

# Generate private key and certificate signing request (CSR) for the server
openssl req -new -newkey rsa:4096 -nodes -keyout "$PRIVATE_KEY" -out "$CERT_DIR/server.csr" \
-subj "/CN=lightspeed-app-server" -addext "subjectAltName=DNS:lightspeed-app-server,DNS:lightspeed-app-server.openshift-lightspeed.svc.cluster.local,IP:127.0.0.1,IP:::1"

# Sign the server certificate with the CA certificate
openssl x509 -req -in "$CERT_DIR/server.csr" -CA "$CA_CERT" -CAkey "$CA_KEY" -CAcreateserial \
-out "$CERTIFICATE" -days "$DAYS_VALID" -sha256 -extfile <(echo "subjectAltName=DNS:lightspeed-app-server,DNS:lightspeed-app-server.openshift-lightspeed.svc.cluster.local,IP:127.0.0.1,IP:::1")

echo "Server certificate signed by CA has been generated in $CERT_DIR"

# Generate the Kubernetes Secret YAML manifest for the TLS certificate and key for the ols-server
cat <<EOF > "$CERT_DIR/$SECRET_NAME.yaml"
apiVersion: v1
kind: Secret
metadata:
name: $SECRET_NAME
namespace: $NAMESPACE
type: kubernetes.io/tls
data:
tls.crt: $(base64 < "$CERTIFICATE")
tls.key: $(base64 < "$PRIVATE_KEY")
EOF

echo "Kubernetes Secret manifest for TLS has been generated at $CERT_DIR/$SECRET_NAME.yaml"
18 changes: 12 additions & 6 deletions internal/controller/ols_app_server_assets.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -320,14 +320,20 @@ func (r *OLSConfigReconciler) getAdditionalCAFileNames(cr *olsv1alpha1.OLSConfig
}

func (r *OLSConfigReconciler) generateService(cr *olsv1alpha1.OLSConfig) (*corev1.Service, error) {
annotations := map[string]string{}

// Check if the flag for user-provided TLS certs is set
if !cr.Spec.OLSConfig.UseUserProvidedTLSCerts {
// Add the service-served certs annotations only if the flag is not set
annotations[ServingCertSecretAnnotationKey] = OLSCertsSecretName
}

service := corev1.Service{
ObjectMeta: metav1.ObjectMeta{
Name: OLSAppServerServiceName,
Namespace: r.Options.Namespace,
Labels: generateAppServerSelectorLabels(),
Annotations: map[string]string{
ServingCertSecretAnnotationKey: OLSCertsSecretName,
},
Name: OLSAppServerServiceName,
Namespace: r.Options.Namespace,
Labels: generateAppServerSelectorLabels(),
Annotations: annotations,
},
Spec: corev1.ServiceSpec{
Ports: []corev1.ServicePort{
Expand Down
14 changes: 9 additions & 5 deletions internal/controller/ols_app_server_reconciliator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -303,11 +303,15 @@ func (r *OLSConfigReconciler) reconcileService(ctx context.Context, cr *olsv1alp
return fmt.Errorf("%s: %w", ErrGetAPIServiceAccount, err)
}

if serviceEqual(foundService, service) &&
foundService.ObjectMeta.Annotations != nil &&
foundService.ObjectMeta.Annotations[ServingCertSecretAnnotationKey] == service.ObjectMeta.Annotations[ServingCertSecretAnnotationKey] {
r.logger.Info("OLS service unchanged, reconciliation skipped", "service", service.Name)
return nil
if serviceEqual(foundService, service) && foundService.ObjectMeta.Annotations != nil {
if cr.Spec.OLSConfig.UseUserProvidedTLSCerts {
r.logger.Info("OLS service unchanged, reconciliation skipped", "service", service.Name)
return nil

} else if foundService.ObjectMeta.Annotations[ServingCertSecretAnnotationKey] == service.ObjectMeta.Annotations[ServingCertSecretAnnotationKey] {
r.logger.Info("OLS service unchanged, reconciliation skipped", "service", service.Name)
return nil
}
}

err = r.Update(ctx, service)
Expand Down
4 changes: 2 additions & 2 deletions internal/controller/ols_console_reconciliator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ import (
olsv1alpha1 "github.com/openshift/lightspeed-operator/api/v1alpha1"
)

func (r *OLSConfigReconciler) reconcileConsoleUI(ctx context.Context, olsconfig *olsv1alpha1.OLSConfig) error {
func (r *OLSConfigReconciler) reconcileConsoleUI(ctx context.Context, cr *olsv1alpha1.OLSConfig) error {
r.logger.Info("reconcileConsoleUI starts")
tasks := []ReconcileTask{
{
Expand Down Expand Up @@ -49,7 +49,7 @@ func (r *OLSConfigReconciler) reconcileConsoleUI(ctx context.Context, olsconfig
}

for _, task := range tasks {
err := task.Task(ctx, olsconfig)
err := task.Task(ctx, cr)
if err != nil {
r.logger.Error(err, "reconcileConsoleUI error", "task", task.Name)
return fmt.Errorf("failed to %s: %w", task.Name, err)
Expand Down
5 changes: 5 additions & 0 deletions internal/controller/ols_console_ui_assets.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,11 @@ func (r *OLSConfigReconciler) generateConsoleUIPlugin(cr *olsv1alpha1.OLSConfig)
},
}

// Conditionally add the CA certificate if provided in the CRD
if cr.Spec.OLSConfig.DeploymentConfig.ConsoleContainer.CAcertificate != "" {
plugin.Spec.Proxy[0].CACertificate = cr.Spec.OLSConfig.DeploymentConfig.ConsoleContainer.CAcertificate
}

if err := controllerutil.SetControllerReference(cr, plugin, r.Scheme); err != nil {
return nil, err
}
Expand Down

0 comments on commit 97b1945

Please sign in to comment.