Istio sample update

[tonyxrmdavidson]

This PR will allow the deployment of model-registry-istio-tls in the PROW/openshift job.
The deployment files for this deployment are directly copied over from the model-registry-operator file. Some the files will be unused at the moment but will likely be needed to give us the option to switch the PROW/openshift-ci job to use the any of the samples available in for PR checking.

How was this tested

It was tested by running locally targeting an already deployed openshift cluster and was oc logged in.

Deploying authorino-subscription from openshift-ci/resources/samples/authorino-subscription.yaml...
subscription.operators.coreos.com/authorino-operator created
✔ Success: Deployment of authorino-subscription succeeded.
Monitoring the installation of CRDs: authconfigs.authorino.kuadrant.io authconfigs.authorino.kuadrant.io authorinos.operator.authorino.kuadrant.io
Timeout set to 120s
✔ Success: All specified CRDs are installed.
Deploying service-mesh-subscription from openshift-ci/resources/samples/service-mesh-subscription.yaml...
subscription.operators.coreos.com/servicemeshoperator created
✔ Success: Deployment of service-mesh-subscription succeeded.
Monitoring the installation of CRDs: servicemeshcontrolplanes.maistra.io servicemeshmembers.maistra.io servicemeshmemberrolls.maistra.io
Timeout set to 120s
✔ Success: All specified CRDs are installed.
Deploying opendatahub-subscription from openshift-ci/resources/opendatahub-subscription.yaml...
subscription.operators.coreos.com/model-registry-test-source-subscription created
✔ Success: Deployment of opendatahub-subscription succeeded.
Monitoring the installation of CRDs: datascienceclusters.datasciencecluster.opendatahub.io dscinitializations.dscinitialization.opendatahub.io featuretrackers.features.opendatahub.io
Timeout set to 120s
✔ Success: All specified CRDs are installed.
Deploying model-registry-DSCInitialization from openshift-ci/resources/model-registry-DSCInitialization.yaml...
dscinitialization.dscinitialization.opendatahub.io/default-dsci created
✔ Success: Deployment of model-registry-DSCInitialization succeeded.
Deploying opendatahub-data-science-cluster from openshift-ci/resources/opendatahub-data-science-cluster.yaml...
datasciencecluster.datasciencecluster.opendatahub.io/default-dsc created
✔ Success: Deployment of opendatahub-data-science-cluster succeeded.
Monitoring the installation of CRDs: acceleratorprofiles.dashboard.opendatahub.io datasciencepipelinesapplications.datasciencepipelinesapplications.opendatahub.io odhapplications.dashboard.opendatahub.io odhdashboardconfigs.opendatahub.io odhdocuments.dashboard.opendatahub.io
Timeout set to 120s
✔ Success: All specified CRDs are installed.
error: resource name may not be empty
! INFO: Pod is not running or does not have 2 containers ready
error: resource name may not be empty
! INFO: Pod is not running or does not have 2 containers ready
! INFO: Pod model-registry-operator-controller-manager-8444ddd68-7vmts is not running or does not have 2 containers ready
! INFO: Pod model-registry-operator-controller-manager-8444ddd68-7vmts is not running or does not have 2 containers ready
✔ Success: Pod model-registry-operator-controller-manager-8444ddd68-7vmts is running and 2 out of 2 containers are ready
apps.rk415.apicurio.integration-qe.com

Certificate request self-signature ok
subject=CN=model-registry-db, O=modelregistry organization
modelregistry-sample-rest.domain.domain.key
modelregistry-sample-rest.domain.domain.crt
secret/modelregistry-sample-rest-credential created
✔ Success: Secret 'modelregistry-sample-rest-credential' created successfully in namespace 'istio-system'.
modelregistry-sample-grpc.domain.domain.key
modelregistry-sample-grpc.domain.domain.crt
secret/modelregistry-sample-grpc-credential created
✔ Success: Secret 'modelregistry-sample-grpc-credential' created successfully in namespace 'istio-system'.
model-registry-db.domain.key
model-registry-db.domain.crt
secret/model-registry-db-credential created
✔ Success: Secret 'model-registry-db-credential' created successfully in namespace 'odh-model-registries'.
servicemeshmember.maistra.io/default created
Getting ServiceMeshMember
No resources found in istio-system namespace.
Deploying mysql-tls from openshift-ci/resources/samples/istio/mysql-tls...
configmap/modelregistry-sample-environment created
secret/model-registry-db created
service/model-registry-db created
persistentvolumeclaim/model-registry-db created
deployment.apps/model-registry-db created
modelregistry.modelregistry.opendatahub.io/modelregistry-sample created
✔ Success: Deployment of mysql-tls succeeded.
Monitoring the installation of CRDs: modelregistries.modelregistry.opendatahub.io
Timeout set to 120s
✔ Success: All specified CRDs are installed.
✔ Success: Deployment model-registry-db is available
✔ Success: Deployment modelregistry-sample is available
! INFO: Pod model-registry-db-59757bdd8-vjmjw is not running or does not have 1 containers ready
✔ Success: Pod model-registry-db-59757bdd8-vjmjw is running and 1 out of 1 containers are ready
! INFO: Pod modelregistry-sample-866f6b7cb5-tstts is not running or does not have 3 containers ready
! INFO: Pod modelregistry-sample-866f6b7cb5-tstts is not running or does not have 3 containers ready
! INFO: Pod modelregistry-sample-866f6b7cb5-tstts is not running or does not have 3 containers ready
! INFO: Pod modelregistry-sample-866f6b7cb5-tstts is not running or does not have 3 containers ready
! INFO: Pod modelregistry-sample-866f6b7cb5-tstts is not running or does not have 3 containers ready
! INFO: Pod modelregistry-sample-866f6b7cb5-tstts is not running or does not have 3 containers ready
✔ Success: Pod modelregistry-sample-866f6b7cb5-tstts is running and 3 out of 3 containers are ready
✔ Success: Route 'odh-model-registries-modelregistry-sample-rest' exists in namespace 'istio-system'

• Host modelregistry-sample-rest.apps.rk415.apicurio.integration-qe.com:443 was resolved.
• IPv6: (none)
• IPv4: 10.0.198.167
• Trying 10.0.198.167:443...
• Connected to modelregistry-sample-rest.apps.rk415.apicurio.integration-qe.com (10.0.198.167) port 443
• ALPN: curl offers h2,http/1.1
  } [5 bytes data]
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
  } [512 bytes data]
• CAfile: certs/domain.crt
• CApath: none
  { [5 bytes data]
• TLSv1.3 (IN), TLS handshake, Server hello (2):
  { [122 bytes data]
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  { [15 bytes data]
• TLSv1.3 (IN), TLS handshake, Certificate (11):
  { [948 bytes data]
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
  { [264 bytes data]
• TLSv1.3 (IN), TLS handshake, Finished (20):
  { [52 bytes data]
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  } [1 bytes data]
• TLSv1.3 (OUT), TLS handshake, Finished (20):
  } [52 bytes data]
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
• ALPN: server accepted h2
• Server certificate:
• subject: CN=modelregistry-sample-rest; O=modelregistry organization
• start date: Jun 21 16:15:49 2024 GMT
• expire date: Jun 21 16:15:49 2025 GMT
• subjectAltName: host "modelregistry-sample-rest.apps.rk415.apicurio.integration-qe.com" matched cert's "modelregistry-sample-rest.apps.rk415.apicurio.integration-qe.com"
• issuer: O=modelregistry Inc.; CN=apps.rk415.apicurio.integration-qe.com
• SSL certificate verify ok.
• Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
• Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
  } [5 bytes data]
• using HTTP/2
• [HTTP/2] [1] OPENED stream for https://modelregistry-sample-rest.apps.rk415.apicurio.integration-qe.com/api/model_registry/v1alpha3/registered_models
• [HTTP/2] [1] [:method: GET]
• [HTTP/2] [1] [:scheme: https]
• [HTTP/2] [1] [:authority: modelregistry-sample-rest.apps.rk415.apicurio.integration-qe.com]
• [HTTP/2] [1] [:path: /api/model_registry/v1alpha3/registered_models]
• [HTTP/2] [1] [user-agent: curl/8.5.0]
• [HTTP/2] [1] [accept: /]
• [HTTP/2] [1] [authorization: Bearer sha256~TdtJQry5AlcnmLL4myvTQVxS0MxG6VT9ca923_l8sxA]
  } [5 bytes data]

GET /api/model_registry/v1alpha3/registered_models HTTP/2
Host: modelregistry-sample-rest.apps.rk415.apicurio.integration-qe.com
User-Agent: curl/8.5.0
Accept: /
Authorization: Bearer sha256~TdtJQry5AlcnmLL4myvTQVxS0MxG6VT9ca923_l8sxA

{ [5 bytes data]

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  { [265 bytes data]
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  { [265 bytes data]
• old SSL session ID is stale, removing
  { [5 bytes data]
  < HTTP/2 200
  < content-type: application/json; charset=UTF-8
  < vary: Origin
  < date: Fri, 21 Jun 2024 16:17:09 GMT
  < content-length: 54
  < x-envoy-upstream-service-time: 38
  < server: istio-envoy
  <
  { [54 bytes data]
• Connection #0 to host modelregistry-sample-rest.apps.rk415.apicurio.integration-qe.com left intact
  ✔ Success: Route server is reachable. Status code: 200 OK
  Success: Registered Model ID: 1
  Success: Model Version ID: 2
  Success: Model Artifact ID: 1

How to run the script and test the PR.

• git pull and checkout this PR
• from the root of the repo ./openshift-ci/scripts/oci-model-registry-istio-tls-deploy.sh

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: tonyxrmdavidson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [tonyxrmdavidson]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tonyxrmdavidson]

/retest

[tonyxrmdavidson]

/retest

[tonyxrmdavidson]

/retest

[tonyxrmdavidson]

/test e2e-odh-mro-optional

[tonyxrmdavidson]

/retest

[tonyxrmdavidson]

/retest

[tonyxrmdavidson]

/retest

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 75.84%. Comparing base (87fc77b) to head (efd182c).

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #76   +/-   ##
=======================================
  Coverage   75.84%   75.84%           
=======================================
  Files          19       19           
  Lines        2215     2215           
  Branches      101      101           
=======================================
  Hits         1680     1680           
  Misses        340      340           
  Partials      195      195           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[tarilabs]

/lgtm

One comment however, and I might have missed something, but looks to me we are keeping a copy of the Manifests from the ODH/model-registry-operator, here; since the original inception of that, now this copy:

1. evolves: the more manifest in MRO repo, the more we copy over here
2. keep the need of manual sync

I'm not arguing for an immediate action here, but as we're considering "shifting left" and "lefter", it could be interesting to evaluate:

1. for the script here in midstream to just consume the manifest from the odh/MRO repo
2. as that might as well make it easier to parametrize to consume different manifests, for instance, just consume KF/mr manifest and skip the use of ODH/MRO when testing this for upstream (and other applicable limitations)

wdyt ?

[rareddy]

wdyt ?

I waiting to see who will bring this point up. Thanks @tarilabs ++. Very valid point in terms manageability of the code.

How does the manifests project link up in the Kubeflow repos or between ODH operator and MRO mainifests?