Draft: feat(openshift): add standalone RHOAI deployment on any OCP cluster#853
Draft: feat(openshift): add standalone RHOAI deployment on any OCP cluster#853amastbau wants to merge 2 commits into
Conversation
Extract the profile system (RHOAI, ServiceMesh, Serverless, etc.) from pkg/target/service/snc/profile/ into pkg/provider/openshift/profile/ so it can be used independently of SNC. The profile code had zero SNC dependencies — only the package path coupled it. Add new `mapt openshift rhoai create/destroy` command that deploys RHOAI on any existing OpenShift cluster given a kubeconfig path. This supports the AIPCC-19537 epic for RHAII integration testing on stable RHOAI. Usage: mapt openshift rhoai create --kubeconfig <path> --project-name <name> --backed-url <url> mapt openshift rhoai destroy --project-name <name> --backed-url <url> Profiles default to "ai" which installs the full RHOAI stack (ServiceMesh v2, Serverless, RHOAI operator, DataScienceCluster with KServe). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughThis PR adds a new OpenShift provider with a RHOAI Pulumi-based stack action supporting Create and Destroy operations, along with new ChangesOpenShift RHOAI feature
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant CLI as rhoai create
participant Action as rhoaiAction.Create
participant Deploy as rhoaiRequest.deploy
participant Pulumi as pulumiProgram
participant Manager as manager.UpStack
CLI->>Action: RHOAIArgs(kubeconfig, profiles, prefix)
Action->>Action: profile.Validate(profiles)
Action->>Deploy: deploy()
Deploy->>Manager: UpStack(stack config, pulumiProgram)
Manager->>Pulumi: run pulumiProgram
Pulumi->>Pulumi: read kubeconfig, create k8s provider
Pulumi->>Pulumi: profile.Deploy(profiles, provider, kubeconfig, prefix)
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
pkg/provider/openshift/action/rhoai/rhoai.go (1)
20-24: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value
RHOAIArgs.Prefixisn't wired to any CLI flag.The field exists and
Createdefaults it when empty, butcmd/mapt/cmd/openshift/rhoai.go'screateRHOAInever populates it from a flag, so users have no way to override the default prefix.Also applies to: 41-51
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/provider/openshift/action/rhoai/rhoai.go` around lines 20 - 24, The RHOAIArgs.Prefix field is never populated from the CLI, so users cannot override the default prefix. Update the OpenShift RHOAI command wiring in createRHOAI to add a flag for the prefix and pass its value into RHOAIArgs, then ensure RHOAIArgs.Create still falls back to the default only when the flag is unset. Use the RHOAIArgs and createRHOAI symbols to locate the affected flow.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@pkg/provider/openshift/action/rhoai/rhoai.go`:
- Around line 20-24: The RHOAIArgs.Prefix field is never populated from the CLI,
so users cannot override the default prefix. Update the OpenShift RHOAI command
wiring in createRHOAI to add a flag for the prefix and pass its value into
RHOAIArgs, then ensure RHOAIArgs.Create still falls back to the default only
when the flag is unset. Use the RHOAIArgs and createRHOAI symbols to locate the
affected flow.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Enterprise
Run ID: 43b9713c-a8be-4745-82e1-3c6dced8bf93
📒 Files selected for processing (17)
cmd/mapt/cmd/aws/services/snc.gocmd/mapt/cmd/openshift/openshift.gocmd/mapt/cmd/openshift/rhoai.gocmd/mapt/cmd/root.gopkg/provider/aws/action/snc/snc.gopkg/provider/openshift/action/rhoai/rhoai.gopkg/provider/openshift/openshift.gopkg/provider/openshift/profile/client.gopkg/provider/openshift/profile/nfd.gopkg/provider/openshift/profile/nvidia.gopkg/provider/openshift/profile/openshift_ai.gopkg/provider/openshift/profile/operator.gopkg/provider/openshift/profile/profile.gopkg/provider/openshift/profile/serverless.gopkg/provider/openshift/profile/servicemesh.gopkg/provider/openshift/profile/servicemesh_v2.gopkg/provider/openshift/profile/virtualization.go
… namespaces When ServiceMesh enrolls knative-serving via SMMR, it creates a deny-all NetworkPolicy that blocks API server -> webhook traffic on multi-node clusters. This causes KnativeServing install to fail with webhook timeout errors. On SNC this was masked because all traffic is node-local. Add a NetworkPolicy allowing ingress to webhook pods on port 8443 before creating the Knative CR, so admission webhooks remain reachable regardless of mesh network policies. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary
pkg/target/service/snc/profile/topkg/provider/openshift/profile/— the code had zero SNC dependencies, only the package path coupled itmapt openshift rhoai create/destroycommand that deploys RHOAI on any existing OpenShift cluster given a kubeconfig pathUsage
The
--profile ai(default) installs the full RHOAI stack:rhods-operatorfrom stable channel)Context
Supports epic AIPCC-19537 — adding an ITS to ensure RHAII builds work on stable RHOAI versions. This is the first step (task AIPCC-19538): enabling mapt to provision RHOAI from the stable channel on any OpenShift cluster.
E2E Test Results
Happy path tested on a real multi-node OCP 4.20 cluster (3 masters + 3 workers, IBM Cloud).
Cluster
Operators Installed (all Succeeded)
Prerequisites Ready
DataScienceCluster Components
RHOAI Pods (all Running)
Issues Found During Testing
KnativeServing webhook timeout (fixed in this PR): On multi-node clusters, ServiceMesh's deny-all NetworkPolicy in
knative-servingnamespace blocks API server → webhook traffic. Added a NetworkPolicy to allow webhook ingress. This issue is masked on SNC where all traffic is node-local.DSC datasciencepipelines conflict (cluster-specific, not a mapt bug): The test cluster had pre-existing Argo Workflows CRDs, which conflict with the DSP operator. DSC reports
NotReadyfor this component. KServe and all other components work correctly. Workaround: setdatasciencepipelinestoRemovedin the DSC spec, or remove existing Argo CRDs.Test plan
make buildpassesmake testpasses (all existing tests, SNC unaffected)mapt openshift rhoai create --helpshows correct flagsmapt openshift rhoai destroy --helpshows correct flagsmapt openshift rhoai destroyteardown (not yet tested)🤖 Generated with Claude Code