fix(authz): Fix broken external auth configuration

[israel-hdez]

Description

There are two misconfigurations being fixed:

• In the SMCP, the service hostname of Authorino was coded with -authorization suffix, but the right suffix is -authorino-authorization.
• In the kserve-predictor AuthorizationPolicy, the hardcoded opendatahub-odh-auth-provider provider name was used, but it should have been the template {{ .AppNamespace }}-auth-provider.

In pkg/feature/feature.go the patch manifests (i.e. the ones containing .patch in the filename) are always applied. Thus, the first bullet is solved by fixing the patch file that adds the extensionProvider to the SMCP.

For the second bullet, the faulty AuthorizationPolicy is created with a regular manifest template which is only applied if the resource does not exist. Thus, a patch manifest is added to properly fix the faulty policy (including operator upgrades).

Fixes https://issues.redhat.com/browse/RHOAIENG-4192

How Has This Been Tested?

Both doing a clean install, and simulating an upgrade.

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[israel-hdez]

@VaishnaviHire This would fix the broken installation that Eyal reported.

[bartoszmajsak]

In the kserve-predictor AuthorizationPolicy, the hardcoded opendatahub-odh-auth-provider provider name was used, but it should have been the template {{ .AppNamespace }}-auth-provider.

@israel-hdez I think this is a good workaround for now, but there's a config map (auth-refs) we can use to share the final name across controllers. /cc @aslakknutsen

[bartoszmajsak]

LGTM

I am wondering however if we have any automated test somewhere smoke testing this setup?

[zdtsw]

you want to keep file name "pkg/feature/templates/servicemesh/kserve/z-fix-jira-4192/kserve-predictor-authorizationpolicy.patch.tmpl" ?

[israel-hdez]

you want to keep file name "pkg/feature/templates/servicemesh/kserve/z-fix-jira-4192/kserve-predictor-authorizationpolicy.patch.tmpl" ?

Yes, manifests are applied in filename alphabetical order. So, I wanted to make sure the patch is applied at last.

[israel-hdez]

I am wondering however if we have any automated test somewhere smoke testing this setup?

I guess E2E tests on KServe repo would have catched this, but they are not using the operator to setup the stack. So, I think in serving side we should improve our E2E setup to catch earlier this.

[VedantMahabaleshwarkar]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bartoszmajsak, VedantMahabaleshwarkar, zdtsw

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [zdtsw]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[zdtsw]

i am confused again :D
https://github.com/opendatahub-io/opendatahub-operator/blob/incubation/pkg/feature/servicemesh/cleanup.go#L15C2-L15C79
should this be updated too, if the name is patched to {{ .AppNamespace }}-auth-provider already

[bartoszmajsak]

i am confused again :D incubation/pkg/feature/servicemesh/cleanup.go#L15C2-L15C79 should this be updated too, if the name is patched to {{ .AppNamespace }}-auth-provider already

Yeah, we missed it :( @zdtsw go ahead and open PR with the fix.

[zdtsw]

i am confused again :D incubation/pkg/feature/servicemesh/cleanup.go#L15C2-L15C79 should this be updated too, if the name is patched to {{ .AppNamespace }}-auth-provider already

Yeah, we missed it :( @zdtsw go ahead and open PR with the fix.

[bartoszmajsak]

I added fix and ported missing tests in #905