Skip to content

Instantly share code, notes, and snippets.

@nerdalert

nerdalert/pr-227-stdout.md

Last active January 16, 2026 05:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save nerdalert/a8633f1c554a3bcbcd3eb046425d27c3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save nerdalert/a8633f1c554a3bcbcd3eb046425d27c3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pr-227-stdout.md

stdout testing for opendatahub-io/models-as-a-service#227

brent@ip-172-31-33-128:~/tls/opendatahub-operator$ make install deploy -e VERSION=tls -e IMG='quay.io/bmajsak/opendatahub-operator:tls'
go: downloading go1.25.0 (linux/amd64)
mkdir -p /home/brent/tls/opendatahub-operator/bin
Downloading sigs.k8s.io/kustomize/kustomize/v5@v5.7.0
Downloading sigs.k8s.io/controller-tools/cmd/controller-gen@v0.17.3
/home/brent/tls/opendatahub-operator/bin/controller-gen --load-build-tags=odh rbac:roleName=controller-manager-role crd:ignoreUnexportedFields=true webhook paths="./..." output:crd:artifacts:config=config/crd/bases output:rbac:artifacts:config=config/rbac output:webhook:artifacts:config=config/webhook
/home/brent/tls/opendatahub-operator
cd config/manager \
	&& cp -f kustomization.yaml.in kustomization.yaml \
	&& /home/brent/tls/opendatahub-operator/bin/kustomize edit set image REPLACE_IMAGE=quay.io/bmajsak/opendatahub-operator:tls
/home/brent/tls/opendatahub-operator/bin/kustomize build config/crd/bases | kubectl apply -f -
customresourcedefinition.apiextensions.k8s.io/auths.services.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/dashboards.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/datascienceclusters.datasciencecluster.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/datasciencepipelines.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/dscinitializations.dscinitialization.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/feastoperators.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/featuretrackers.features.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/gatewayconfigs.services.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/hardwareprofiles.infrastructure.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/kserves.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/kueues.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/llamastackoperators.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/mlflowoperators.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/modelcontrollers.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/modelregistries.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/modelsasservices.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/monitorings.services.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/rays.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/trainers.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/trainingoperators.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/trustyais.components.platform.opendatahub.io created
customresourcedefinition.apiextensions.k8s.io/workbenches.components.platform.opendatahub.io created
/home/brent/tls/opendatahub-operator/bin/kustomize build config/default | kubectl apply --namespace opendatahub-operator-system -f -
namespace/opendatahub-operator-system created
customresourcedefinition.apiextensions.k8s.io/auths.services.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/dashboards.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/datascienceclusters.datasciencecluster.opendatahub.io configured
customresourcedefinition.apiextensions.k8s.io/datasciencepipelines.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/dscinitializations.dscinitialization.opendatahub.io configured
customresourcedefinition.apiextensions.k8s.io/feastoperators.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/featuretrackers.features.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/gatewayconfigs.services.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/hardwareprofiles.infrastructure.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/kserves.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/kueues.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/llamastackoperators.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/mlflowoperators.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/modelcontrollers.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/modelregistries.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/modelsasservices.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/monitorings.services.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/rays.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/trainers.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/trainingoperators.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/trustyais.components.platform.opendatahub.io unchanged
customresourcedefinition.apiextensions.k8s.io/workbenches.components.platform.opendatahub.io unchanged
serviceaccount/opendatahub-operator-controller-manager created
clusterrole.rbac.authorization.k8s.io/opendatahub-operator-controller-manager-role created
clusterrole.rbac.authorization.k8s.io/opendatahub-operator-metrics-reader created
clusterrolebinding.rbac.authorization.k8s.io/opendatahub-operator-controller-manager-rolebinding created
service/opendatahub-operator-controller-manager-metrics-service created
service/opendatahub-operator-webhook-service created
deployment.apps/opendatahub-operator-controller-manager created
mutatingwebhookconfiguration.admissionregistration.k8s.io/opendatahub-operator-mutating-webhook-configuration created
validatingwebhookconfiguration.admissionregistration.k8s.io/opendatahub-operator-validating-webhook-configuration created
brent@ip-172-31-33-128:~/tls/opendatahub-operator$ curl -sSL https://gist.githubusercontent.com/bartoszmajsak/7f4789ee543d6226546c2afa923f6b76/raw | bash
=========================================
πŸš€ MaaS Platform Prerequisites Installation
=========================================

πŸ“‹ Checking prerequisites...

Required tools:
  - oc: Client Version: 4.19.21
  - jq: jq-1.7
  - yq: yq version 4.2.0
  - kustomize: {v5.8.0  2025-11-09T14:39:49Z   }
  - git: git version 2.43.0

ℹ️  Note: OpenShift Service Mesh should be automatically installed when GatewayClass is created.
   If the Gateway gets stuck in 'Waiting for controller', you may need to manually
   install the Red Hat OpenShift Service Mesh operator from OperatorHub.

1️⃣ Checking OpenShift version and Gateway API requirements...
   OpenShift version: 4.20.6
   βœ… OpenShift 4.20.6 supports Gateway API via GatewayClass (no feature gates needed)

2️⃣ Installing Kuadrant...
   Checking for existing Kuadrant installation...
   No CSV found for kuadrant-operator in kuadrant-system
   No existing installation found, checking for leftover CRDs...
   Installing Kuadrant...
bash: line 212: /home/brent/tls/opendatahub-operator/install-dependencies.sh: No such file or directory
brent@ip-172-31-33-128:~/tls/opendatahub-operator$ ls
CONTRIBUTING.md  LICENSE   OWNERS          PROJECT    api  cmd          config                    docs                  go.mod  hack      opt  semgrep.yaml
Dockerfiles      Makefile  OWNERS_ALIASES  README.md  bin  codecov.yml  crd-ref-docs.config.yaml  get_all_manifests.sh  go.sum  internal  pkg  tests
brent@ip-172-31-33-128:~/tls/opendatahub-operator$ find . | grep install-dependencies
brent@ip-172-31-33-128:~/tls/opendatahub-operator$ ls
CONTRIBUTING.md  LICENSE   OWNERS          PROJECT    api  cmd          config                    docs                  go.mod  hack      opt  semgrep.yaml
Dockerfiles      Makefile  OWNERS_ALIASES  README.md  bin  codecov.yml  crd-ref-docs.config.yaml  get_all_manifests.sh  go.sum  internal  pkg  tests
brent@ip-172-31-33-128:~/tls/opendatahub-operator$ install-dependencies^C
brent@ip-172-31-33-128:~/tls/opendatahub-operator$ curl -sSL https://gist.githubusercontent.com/bartoszmajsak/7f4789ee543d6226546c2afa923f6b76/raw | bash
=========================================
πŸš€ MaaS Platform Prerequisites Installation
=========================================

πŸ“‹ Checking prerequisites...

Required tools:
  - oc: Client Version: 4.19.21
  - jq: jq-1.7
  - yq: yq version 4.2.0
  - kustomize: {v5.8.0  2025-11-09T14:39:49Z   }
  - git: git version 2.43.0

ℹ️  Note: OpenShift Service Mesh should be automatically installed when GatewayClass is created.
   If the Gateway gets stuck in 'Waiting for controller', you may need to manually
   install the Red Hat OpenShift Service Mesh operator from OperatorHub.

1️⃣ Checking OpenShift version and Gateway API requirements...
   OpenShift version: 4.20.6
   βœ… OpenShift 4.20.6 supports Gateway API via GatewayClass (no feature gates needed)

2️⃣ Installing Kuadrant...
   Checking for existing Kuadrant installation...
   No CSV found for kuadrant-operator in kuadrant-system
   No existing installation found, checking for leftover CRDs...
   Installing Kuadrant...
bash: line 212: /home/brent/tls/opendatahub-operator/install-dependencies.sh: No such file or directory
brent@ip-172-31-33-128:~/tls/opendatahub-operator$ find ../models-as-a-service/ | grep install-dependencies
../models-as-a-service/scripts/install-dependencies.sh
brent@ip-172-31-33-128:~/tls/opendatahub-operator$ cd ..
brent@ip-172-31-33-128:~/tls$ cd models-as-a-service/
brent@ip-172-31-33-128:~/tls/models-as-a-service$ curl -sSL https://gist.githubusercontent.com/bartoszmajsak/7f4789ee543d6226546c2afa923f6b76/raw | bash
=========================================
πŸš€ MaaS Platform Prerequisites Installation
=========================================

πŸ“‹ Checking prerequisites...

Required tools:
  - oc: Client Version: 4.19.21
  - jq: jq-1.7
  - yq: yq version 4.2.0
  - kustomize: {v5.8.0  2025-11-09T14:39:49Z   }
  - git: git version 2.43.0

ℹ️  Note: OpenShift Service Mesh should be automatically installed when GatewayClass is created.
   If the Gateway gets stuck in 'Waiting for controller', you may need to manually
   install the Red Hat OpenShift Service Mesh operator from OperatorHub.

1️⃣ Checking OpenShift version and Gateway API requirements...
   OpenShift version: 4.20.6
   βœ… OpenShift 4.20.6 supports Gateway API via GatewayClass (no feature gates needed)

2️⃣ Installing Kuadrant...
   Checking for existing Kuadrant installation...
   No CSV found for kuadrant-operator in kuadrant-system
   No existing installation found, checking for leftover CRDs...
   Installing Kuadrant...
bash: line 212: /home/brent/tls/models-as-a-service/install-dependencies.sh: No such file or directory
brent@ip-172-31-33-128:~/tls/models-as-a-service$ find . | grep install-dependencies
./scripts/install-dependencies.sh
brent@ip-172-31-33-128:~/tls/models-as-a-service$ cd scripts/
brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$ curl -sSL https://gist.githubusercontent.com/bartoszmajsak/7f4789ee543d6226546c2afa923f6b76/raw | bash
=========================================
πŸš€ MaaS Platform Prerequisites Installation
=========================================

πŸ“‹ Checking prerequisites...

Required tools:
  - oc: Client Version: 4.19.21
  - jq: jq-1.7
  - yq: yq version 4.2.0
  - kustomize: {v5.8.0  2025-11-09T14:39:49Z   }
  - git: git version 2.43.0

ℹ️  Note: OpenShift Service Mesh should be automatically installed when GatewayClass is created.
   If the Gateway gets stuck in 'Waiting for controller', you may need to manually
   install the Red Hat OpenShift Service Mesh operator from OperatorHub.

1️⃣ Checking OpenShift version and Gateway API requirements...
   OpenShift version: 4.20.6
   βœ… OpenShift 4.20.6 supports Gateway API via GatewayClass (no feature gates needed)

2️⃣ Installing Kuadrant...
   Checking for existing Kuadrant installation...
   No CSV found for kuadrant-operator in kuadrant-system
   No existing installation found, checking for leftover CRDs...
   Installing Kuadrant...
namespace/kuadrant-system created
πŸš€ Creating Kuadrant OperatorGroup...
operatorgroup.operators.coreos.com/kuadrant-operator-group created
πŸš€ Creating Kuadrant CatalogSource...
catalogsource.operators.coreos.com/kuadrant-operator-catalog created
πŸš€ Installing kuadrant (via OLM Subscription)...
subscription.operators.coreos.com/kuadrant-operator created
⏳ Waiting for kuadrant-operator-controller-manager deployment to be created... (attempt 1/7)
⏳ Waiting for kuadrant-operator-controller-manager deployment to be created... (attempt 2/7)
⏳ Waiting for operators to be ready...
deployment.apps/kuadrant-operator-controller-manager condition met
deployment.apps/limitador-operator-controller-manager condition met
deployment.apps/authorino-operator condition met
   Patching Kuadrant operator...
clusterserviceversion.operators.coreos.com/kuadrant-operator.v1.3.1 patched
   βœ… Kuadrant operator patched (kuadrant-operator.v1.3.1)
βœ… Successfully installed kuadrant


3️⃣ Patching GatewayConfig to use LoadBalancer ingress mode...
   ⚠️  GatewayConfig default-gateway not found, skipping patch
      (It may be created later by the ODH operator)

4️⃣ Deploying Gateway infrastructure...
   Cluster domain: apps.ci-ln-chq84ik-76ef8.aws-2.ci.openshift.org
   Deploying Gateway and GatewayClass...
gatewayclass.gateway.networking.k8s.io/openshift-default serverside-applied
gateway.gateway.networking.k8s.io/openshift-ai-inference serverside-applied
   Found TLS certificate secret: router-certs-default
gateway.gateway.networking.k8s.io/maas-default-gateway serverside-applied

5️⃣ Waiting for Kuadrant operators to be installed by OLM...
⏳ Looking for kuadrant-operator (minimum version: 1.3.1)...
βœ… Found CSV: kuadrant-operator.v1.3.1 (version: 1.3.1 >= 1.3.1)
⏳ Waiting for CSV kuadrant-operator.v1.3.1 to succeed (timeout: 300s)...
βœ… CSV kuadrant-operator.v1.3.1 succeeded
⏳ Looking for authorino-operator (minimum version: 0.22.0)...
βœ… Found CSV: authorino-operator.v0.22.0 (version: 0.22.0 >= 0.22.0)
⏳ Waiting for CSV authorino-operator.v0.22.0 to succeed (timeout: 60s)...
βœ… CSV authorino-operator.v0.22.0 succeeded
⏳ Looking for limitador-operator (minimum version: 0.16.0)...
βœ… Found CSV: limitador-operator.v0.16.0 (version: 0.16.0 >= 0.16.0)
⏳ Waiting for CSV limitador-operator.v0.16.0 to succeed (timeout: 60s)...
βœ… CSV limitador-operator.v0.16.0 succeeded
⏳ Looking for dns-operator (minimum version: 0.15.0)...
βœ… Found CSV: dns-operator.v0.15.0 (version: 0.15.0 >= 0.15.0)
⏳ Waiting for CSV dns-operator.v0.15.0 to succeed (timeout: 60s)...
βœ… CSV dns-operator.v0.15.0 succeeded
   Verifying Kuadrant CRDs are available...
⏳ Waiting for CRD kuadrants.kuadrant.io to appear (timeout: 30s)…
βœ… CRD kuadrants.kuadrant.io detected, waiting for it to become Established...
customresourcedefinition.apiextensions.k8s.io/kuadrants.kuadrant.io condition met
⏳ Waiting for CRD authpolicies.kuadrant.io to appear (timeout: 10s)…
βœ… CRD authpolicies.kuadrant.io detected, waiting for it to become Established...
customresourcedefinition.apiextensions.k8s.io/authpolicies.kuadrant.io condition met
⏳ Waiting for CRD ratelimitpolicies.kuadrant.io to appear (timeout: 10s)…
βœ… CRD ratelimitpolicies.kuadrant.io detected, waiting for it to become Established...
customresourcedefinition.apiextensions.k8s.io/ratelimitpolicies.kuadrant.io condition met
⏳ Waiting for CRD tokenratelimitpolicies.kuadrant.io to appear (timeout: 10s)…
βœ… CRD tokenratelimitpolicies.kuadrant.io detected, waiting for it to become Established...
customresourcedefinition.apiextensions.k8s.io/tokenratelimitpolicies.kuadrant.io condition met

6️⃣ Deploying Kuadrant configuration (now that CRDs exist)...
kuadrant.kuadrant.io/kuadrant created

7️⃣ Waiting for Gateway to be ready...
   Note: This may take a few minutes if Service Mesh is being automatically installed...
   Waiting for automatic Service Mesh installation...
⏳ Waiting for CRD istios.sailoperator.io to appear (timeout: 300s)…
βœ… CRD istios.sailoperator.io detected, waiting for it to become Established...
customresourcedefinition.apiextensions.k8s.io/istios.sailoperator.io condition met
   βœ… Service Mesh operator installed
   Waiting for Gateway to become ready...
gateway.gateway.networking.k8s.io/maas-default-gateway condition met

8️⃣ Configuring Authorino TLS...
πŸ” Configuring Authorino TLS in namespace: kuadrant-system
πŸ“ Adding serving-cert annotation to Authorino service...
service/authorino-authorino-authorization annotated
πŸ”§ Patching Authorino CR for TLS listener and CA bundle volume...
authorino.operator.authorino.kuadrant.io/authorino patched
🌍 Adding environment variables to Authorino deployment...
deployment.apps/authorino env updated
βœ… Authorino TLS configuration complete
   Waiting for Authorino deployment to pick up TLS config...
Waiting for deployment "authorino" rollout to finish: 1 old replicas are pending termination...
Waiting for deployment spec update to be observed...
Waiting for deployment spec update to be observed...
Waiting for deployment "authorino" rollout to finish: 0 out of 1 new replicas have been updated...
Waiting for deployment "authorino" rollout to finish: 0 out of 1 new replicas have been updated...
Waiting for deployment "authorino" rollout to finish: 1 old replicas are pending termination...
Waiting for deployment "authorino" rollout to finish: 1 old replicas are pending termination...
deployment "authorino" successfully rolled out

9️⃣ Updating Limitador image for metrics exposure...
limitador.limitador.kuadrant.io/limitador patched
   βœ… Limitador image updated

=========================================
⚠️  TEMPORARY WORKAROUNDS (TO BE REMOVED)
=========================================

Applying temporary workarounds for known issues...
   πŸ”§ Restarting Kuadrant, Authorino, and Limitador operators to refresh webhook configurations...
pod "authorino-76d7b84c9-cn46l" deleted from kuadrant-system namespace
pod "authorino-d8564469d-bfp27" deleted from kuadrant-system namespace
pod "kuadrant-operator-controller-manager-68d7ff44d6-9mw9t" deleted from kuadrant-system namespace
pod "limitador-operator-controller-manager-84d8fbb794-xncp7" deleted from kuadrant-system namespace
   βœ… Kuadrant operator restarted
deployment.apps/authorino-operator restarted
   βœ… Authorino operator restarted
deployment.apps/limitador-operator-controller-manager restarted
   βœ… Limitador operator restarted
   Waiting for operators to be ready...
Waiting for deployment "kuadrant-operator-controller-manager" rollout to finish: 0 of 1 updated replicas are available...
deployment "kuadrant-operator-controller-manager" successfully rolled out
deployment "authorino-operator" successfully rolled out
deployment "limitador-operator-controller-manager" successfully rolled out

=========================================
βœ… Prerequisites Installation Complete!
=========================================

πŸ“Š Status Check:

Component Status:
  Kuadrant pods running: 8

Gateway Status:
  Accepted: True
  Programmed: True

Installed CRDs:
  authconfigs.authorino.kuadrant.io
  authorinos.operator.authorino.kuadrant.io
  authpolicies.kuadrant.io
  dnshealthcheckprobes.kuadrant.io
  dnspolicies.kuadrant.io
  dnsrecords.kuadrant.io
  kuadrants.kuadrant.io
  limitadors.limitador.kuadrant.io
  oidcpolicies.extensions.kuadrant.io
  planpolicies.extensions.kuadrant.io
  ratelimitpolicies.kuadrant.io
  telemetrypolicies.extensions.kuadrant.io
  tlspolicies.kuadrant.io
  tokenratelimitpolicies.kuadrant.io
brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$ kubectl apply -f - <<EOF
apiVersion: dscinitialization.opendatahub.io/v1
kind: DSCInitialization
metadata:
  name: default
spec:
  applicationsNamespace: opendatahub
  trustedCABundle:
    managementState: Removed
  monitoring:
    managementState: Managed
    namespace: opendatahub
EOF
dscinitialization.dscinitialization.opendatahub.io/default created
brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$ kubectl apply -f - <<EOF
apiVersion: datasciencecluster.opendatahub.io/v1
kind: DataScienceCluster
metadata:
  name: default
spec:
  components:
    kserve:
      managementState: Managed
      rawDeploymentServiceConfig: Headed
      modelsAsService:
        managementState: Managed
EOF
datasciencecluster.datasciencecluster.opendatahub.io/default created
brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$ kubectl wait --for=condition=Ready datasciencecluster/default --timeout=300s
datasciencecluster.datasciencecluster.opendatahub.io/default condition met
brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$ curl -sSL https://gist.githubusercontent.com/bartoszmajsak/ab0e26734be5f144b31994f92ba85e94/raw | bash
=========================================
πŸ”§ AuthPolicy Audience Patching
=========================================

   MaaS API namespace: opendatahub

Attempting to detect audience...
   Token created successfully
   JWT payload extracted
   Payload decoded successfully
   Detected audience: https://kubernetes.default.svc

1️⃣ Patching AuthPolicy maas-api-auth-policy in opendatahub...
   Adding opendatahub.io/managed=false annotation...
authpolicy.kuadrant.io/maas-api-auth-policy patched
   βœ… Annotation added successfully
   Patching audience...
authpolicy.kuadrant.io/maas-api-auth-policy patched (no change)
   βœ… maas-api-auth-policy patched successfully

=========================================
βœ… AuthPolicy Audience Patching Complete!
=========================================

If any patches failed, you can manually configure:

  # Add annotation to prevent ODH from overwriting:
  kubectl patch authpolicy maas-api-auth-policy -n opendatahub \
    --type='merge' \
    -p '{"metadata":{"annotations":{"opendatahub.io/managed":"false"}}}'

  # Patch the audience:
  kubectl patch authpolicy maas-api-auth-policy -n opendatahub \
    --type='json' \
    -p '[{"op":"replace","path":"/spec/rules/authentication/openshift-identities/kubernetesTokenReview/audiences/0","value":"https://kubernetes.default.svc"}]'

brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$ kustomize build deployment/base/policies/usage-policies/ | kubectl apply -f -
Error: must build at directory: not a valid directory: evalsymlink failure on 'deployment/base/policies/usage-policies/' : lstat /home/brent/tls/models-as-a-service/scripts/deployment: no such file or directory
error: no objects passed to apply
brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$ kubectl wait --for=condition=Ready datasciencecluster/default --timeout=300s
datasciencecluster.datasciencecluster.opendatahub.io/default condition met
brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$ curl -sSL https://gist.githubusercontent.com/bartoszmajsak/ab0e26734be5f144b31994f92ba85e94/raw | bash
=========================================
πŸ”§ AuthPolicy Audience Patching
=========================================

   MaaS API namespace: opendatahub

Attempting to detect audience...
   Token created successfully
   JWT payload extracted
   Payload decoded successfully
   Detected audience: https://kubernetes.default.svc

1️⃣ Patching AuthPolicy maas-api-auth-policy in opendatahub...
   Adding opendatahub.io/managed=false annotation...
authpolicy.kuadrant.io/maas-api-auth-policy patched (no change)
   βœ… Annotation added successfully
   Patching audience...
authpolicy.kuadrant.io/maas-api-auth-policy patched (no change)
   βœ… maas-api-auth-policy patched successfully

=========================================
βœ… AuthPolicy Audience Patching Complete!
=========================================

If any patches failed, you can manually configure:

  # Add annotation to prevent ODH from overwriting:
  kubectl patch authpolicy maas-api-auth-policy -n opendatahub \
    --type='merge' \
    -p '{"metadata":{"annotations":{"opendatahub.io/managed":"false"}}}'

  # Patch the audience:
  kubectl patch authpolicy maas-api-auth-policy -n opendatahub \
    --type='json' \
    -p '[{"op":"replace","path":"/spec/rules/authentication/openshift-identities/kubernetesTokenReview/audiences/0","value":"https://kubernetes.default.svc"}]'

brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$ kubectl patch authpolicy maas-api-auth-policy -n opendatahub \
    --type='merge' \
    -p '{"metadata":{"annotations":{"opendatahub.io/managed":"false"}}}'

  # Patch the audience:
  kubectl patch authpolicy maas-api-auth-policy -n opendatahub \
    --type='json' \
    -p '[{"op":"replace","path":"/spec/rules/authentication/openshift-identities/kubernetesTokenReview/audiences/0","value":"https://kubernetes.default.svc"}]'
authpolicy.kuadrant.io/maas-api-auth-policy patched (no change)
authpolicy.kuadrant.io/maas-api-auth-policy patched (no change)
brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$
brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$
brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$ kustomize build deployment/base/policies/usage-policies/ | kubectl apply -f -
Error: must build at directory: not a valid directory: evalsymlink failure on 'deployment/base/policies/usage-policies/' : lstat /home/brent/tls/models-as-a-service/scripts/deployment: no such file or directory
error: no objects passed to apply
brent@ip-172-31-33-128:~/tls/models-as-a-service/scripts$ cd ..
brent@ip-172-31-33-128:~/tls/models-as-a-service$ kustomize build deployment/base/policies/usage-policies/ | kubectl apply -f -
ratelimitpolicy.kuadrant.io/gateway-rate-limits created
tokenratelimitpolicy.kuadrant.io/gateway-token-rate-limits created
brent@ip-172-31-33-128:~/tls/models-as-a-service$ kustomize build docs/samples/models/simulator | kubectl apply -f -
Error from server (NotFound): error when creating "STDIN": namespaces "llm" not found
brent@ip-172-31-33-128:~/tls/models-as-a-service$
brent@ip-172-31-33-128:~/tls/models-as-a-service$ kubectl create namespace llm

namespace/llm created
brent@ip-172-31-33-128:~/tls/models-as-a-service$ kustomize build docs/samples/models/simulator | kubectl apply -f -
llminferenceservice.serving.kserve.io/facebook-opt-125m-simulated created
brent@ip-172-31-33-128:~/tls/models-as-a-service$ k get llminferenceservices -A
NAMESPACE   NAME                          URL                                                                                           READY   REASON                       AGE
llm         facebook-opt-125m-simulated   http://maas.apps.ci-ln-chq84ik-76ef8.aws-2.ci.openshift.org/llm/facebook-opt-125m-simulated   False   MinimumReplicasUnavailable   11s
brent@ip-172-31-33-128:~/tls/models-as-a-service$ k get llminferenceservices -A
NAMESPACE   NAME                          URL                                                                                           READY   REASON                       AGE
llm         facebook-opt-125m-simulated   http://maas.apps.ci-ln-chq84ik-76ef8.aws-2.ci.openshift.org/llm/facebook-opt-125m-simulated   False   MinimumReplicasUnavailable   14s
brent@ip-172-31-33-128:~/tls/models-as-a-service$ k get llminferenceservices -A
NAMESPACE   NAME                          URL                                                                                           READY   REASON   AGE
llm         facebook-opt-125m-simulated   http://maas.apps.ci-ln-chq84ik-76ef8.aws-2.ci.openshift.org/llm/facebook-opt-125m-simulated   True             81s
brent@ip-172-31-33-128:~/tls/models-as-a-service$ ./scripts/verify-models-and-limits.sh
Looking up gateway configuration...
βœ“ Found HTTPS listener with hostname: maas.apps.ci-ln-chq84ik-76ef8.aws-2.ci.openshift.org
======================================
   Model Inference & Rate Limit Test
======================================

Gateway URL: https://maas.apps.ci-ln-chq84ik-76ef8.aws-2.ci.openshift.org

Obtaining token from MaaS API...
βœ“ Token obtained successfully from MaaS API
Discovering available models...
βœ“ Discovered 1 model(s)
  β€’ facebook/opt-125m at http://maas.apps.ci-ln-chq84ik-76ef8.aws-2.ci.openshift.org/llm/facebook-opt-125m-simulated

Testing discovered models...

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Testing Model: facebook/opt-125m
URL: http://maas.apps.ci-ln-chq84ik-76ef8.aws-2.ci.openshift.org/llm/facebook-opt-125m-simulated
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Testing inference with different prompts:

Request #1:
Prompt: "What is 2+2?"
Status: 200 (Success)
Response: Today is a nice sunny day. The rest is silence.
Tokens Used: 28

Request #2:
Prompt: "Say 'Hello World' in Python"
Status: 200 (Success)
Response: Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime
Tokens Used: 40

Request #3:
Prompt: "What color is the sky?"
Status: 200 (Success)
Response: I am fine, how are you today
Tokens Used: 24


━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Testing Token Rate Limiting
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Making rapid requests to trigger rate limit...
Using model: facebook/opt-125m

Request status: βœ“βœ—βœ—βœ—βœ—βœ—


Rate Limiting Test Results:
  β€’ Successful requests: 1
  β€’ Total tokens consumed: 12
  β€’ Rate limiting: βœ“ Working (429 responses received)

======================================
           Test Summary
======================================

Authentication:
  βœ“ MaaS API token endpoint is working
  βœ“ Token authentication successful

Model Discovery:
  βœ“ Discovered 1 model(s)

Model Inference:
  βœ“ 1 model(s) responding successfully
  βœ“ Inference endpoints are functional

Rate Limiting:
  βœ“ Token rate limiting is enforced

Gateway URL: https://maas.apps.ci-ln-chq84ik-76ef8.aws-2.ci.openshift.org
User:

Models tested:
  β€’ facebook/opt-125m at http://maas.apps.ci-ln-chq84ik-76ef8.aws-2.ci.openshift.org/llm/facebook-opt-125m-simulated

brent@ip-172-31-33-128:~/tls/models-as-a-service$ CLUSTER_DOMAIN=$(kubectl get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')
   HOST="maas.${CLUSTER_DOMAIN}"
brent@ip-172-31-33-128:~/tls/models-as-a-service$ TOKEN_RESPONSE=$(curl -sSk --oauth2-bearer "$(oc whoami -t)" --json '{"expiration": "10m"}' "https://${HOST}/maas-api/v1/tokens")
   TOKEN=$(echo $TOKEN_RESPONSE | jq -r .token)
brent@ip-172-31-33-128:~/tls/models-as-a-service$ MODELS=$(curl -sSk ${HOST}/maas-api/v1/models -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" | jq -r .)
   MODEL_NAME=$(echo $MODELS | jq -r '.data[0].id')
   MODEL_URL="${HOST}/llm/facebook-opt-125m-simulated/v1/chat/completions" # Note: This may be different for your model
   curl -sSk -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "{\"model\": \"${MODEL_NAME}\", \"prompt\": \"Hello\", \"max_tokens\": 50}" "${MODEL_URL}"
Too Many Requests

brent@ip-172-31-33-128:~/tls/models-as-a-service$ MODELS=$(curl -sSk ${HOST}/maas-api/v1/models -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" | jq -r .)
   MODEL_NAME=$(echo $MODELS | jq -r '.data[0].id')
   MODEL_URL="${HOST}/llm/facebook-opt-125m-simulated/v1/chat/completions" # Note: This may be different for your model
   curl -sSk -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d "{\"model\": \"${MODEL_NAME}\", \"prompt\": \"Hello\", \"max_tokens\": 50}" "${MODEL_URL}"
{"id":"chatcmpl-9e3aa869-6d00-4251-9415-a91d379a1079","created":1768537455,"model":"facebook/opt-125m","usage":{"prompt_tokens":0,"completion_tokens":50,"total_tokens":50},"object":"chat.completion","do_remote_decode":false,"do_remote_prefill":false,"remote_block_ids":null,"remote_engine_id":"","remote_host":"","remote_port":0,"choices":[{"index":0,"finish_reason":"length","message":{"role":"assistant","content":"I am your AI assistant, how can I help you today? Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime Testing, testing 1,2,3. To be or "}}]}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment