feat: support providers with self-signed certificates (#109)

- Updated the operator's CRD to allow the definition of a configMap containing ca-cert data, by configuring fields in a LlamaStackDistribution CR.
- Configured llama-stack to trust connections to providers like vLLM using server certificates from that Certificate Authority.
- Added an example script to generate generic self-signed certificates in PEM format to use with vLLM.
- Added an example configuration file to load the self-signed certs into a secret, mount the secret into the container, and point vLLM to the certs on server startup.


Approved-by: VaishnaviHire

Author: rhdedgar

api/v1alpha1/llamastackdistribution_types.go

@@ -2001,6 +2001,35 @@ spec:
                         pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                         x-kubernetes-int-or-string: true
                     type: object
+                  tlsConfig:
+                    description: TLSConfig defines the TLS configuration for the llama-stack
+                      server
+                    properties:
+                      caBundle:
+                        description: CABundle defines the CA bundle configuration
+                          for custom certificates
+                        properties:
+                          configMapKeys:
+                            description: |-
+                              ConfigMapKeys specifies multiple keys within the ConfigMap containing CA bundle data
+                              All certificates from these keys will be concatenated into a single CA bundle file
+                              If not specified, defaults to [DefaultCABundleKey]
+                            items:
+                              type: string
+                            maxItems: 50
+                            type: array
+                          configMapName:
+                            description: ConfigMapName is the name of the ConfigMap
+                              containing CA bundle certificates
+                            type: string
+                          configMapNamespace:
+                            description: ConfigMapNamespace is the namespace of the
+                              ConfigMap (defaults to the same namespace as the CR)
+                            type: string
+                        required:
+                        - configMapName
+                        type: object
+                    type: object
                   userConfig:
                     description: UserConfig defines the user configuration for the
                       llama-stack server
@@ -2170,6 +2199,8 @@ spec:
     selectableFields:
     - jsonPath: .spec.server.userConfig.configMapName
     - jsonPath: .spec.server.userConfig.configMapNamespace
+    - jsonPath: .spec.server.tlsConfig.caBundle.configMapName
+    - jsonPath: .spec.server.tlsConfig.caBundle.configMapNamespace
     served: true
     storage: true
     subresources:

api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,53 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: llama-stack-config
+data:
+  run.yaml: |
+    # Llama Stack Configuration
+    version: '2'
+    image_name: remote-vllm
+    apis:
+    - inference
+    providers:
+      inference:
+      - provider_id: vllm
+        provider_type: "remote::vllm"
+        config:
+          url: "https://vllm-server.vllm-dist.svc.cluster.local:8000/v1"
+    models:
+      - model_id: "meta-llama/Llama-3.2-1B-Instruct"
+        provider_id: vllm
+        model_type: llm
+    server:
+      port: 8321
+---
+apiVersion: llamastack.io/v1alpha1
+kind: LlamaStackDistribution
+metadata:
+  name: llamastack-with-config
+spec:
+  replicas: 1
+  server:
+    distribution:
+      name: remote-vllm
+    containerSpec:
+      port: 8321
+      env:
+      - name: INFERENCE_MODEL
+        value: "meta-llama/Llama-3.2-1B-Instruct"
+      - name: VLLM_URL
+        value: "https://vllm-server.vllm-dist.svc.cluster.local:8000/v1"
+      - name: VLLM_TLS_VERIFY
+        value: "/etc/ssl/certs/ca-bundle.crt"
+    userConfig:
+      configMapName: llama-stack-config
+      # configMapNamespace: ""  # Optional - defaults to the same namespace as the CR
+    tlsConfig:
+      caBundle:
+        configMapName: custom-ca-bundle
+        # configMapNamespace: ""  # Optional - defaults to the same namespace as the CR
+        # configMapKeys not specified - defaults to ["ca-bundle.crt"]
+        # configMapKeys: # Specify multiple keys to concatenate into ca-bundle.crt
+        #   - ca-bundle1.crt
+        #   - ca-bundle2.crt

config/crd/bases/llamastack.io_llamastackdistributions.yaml

@@ -0,0 +1,54 @@
+#!/bin/bash
+
+# --- Configuration ---
+
+# CA Details
+CA_KEY="ca.key"
+CA_CERT="ca.crt"
+CA_SUBJECT="/C=US/ST=California/L=Los Angeles/O=Demo Corp/OU=OpenShift CA/CN=example-ca"
+
+# Security Configuration
+KEY_SIZE=4096
+CA_VALIDITY_DAYS=365
+
+echo "================================================"
+echo "WARNING: This script is for TESTING PURPOSES ONLY"
+echo "Do NOT use these certificates in production!"
+echo "================================================"
+echo
+
+# --- 1. Create the Certificate Authority (CA) ---
+
+echo "Generating CA private key and self-signed certificate..."
+
+# Generate the CA's private key with stronger key size
+openssl genrsa -out "${CA_KEY}" ${KEY_SIZE}
+
+# Generate the self-signed CA certificate
+openssl req -x509 -new -nodes -key "${CA_KEY}" \
+  -sha256 -days ${CA_VALIDITY_DAYS} \
+  -subj "${CA_SUBJECT}" \
+  -out "${CA_CERT}"
+
+echo "CA created successfully: ${CA_KEY}, ${CA_CERT}"
+
+
+echo "   All files created successfully!"
+echo "------------------------------------"
+echo "  - CA Private Key:           ${CA_KEY} (${KEY_SIZE}-bit)"
+echo "  - CA Certificate:           ${CA_CERT} (valid for ${CA_VALIDITY_DAYS} days)"
+echo "------------------------------------"
+echo
+echo "Security Reminders:"
+echo "- Keep private keys secure and never commit them to version control"
+echo "- Consider using cert-manager for production certificate management"
+echo "- Rotate certificates regularly in production environments"
+
+
+# Get the directory where this script is located
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+mkdir -p "${SCRIPT_DIR}/vllm-ca-certs"
+
+# Move to a mock CA bundle file
+cp "${CA_CERT}" "${SCRIPT_DIR}/vllm-ca-certs/ca-bundle.crt"

config/samples/example-with-ca-bundle.yaml

@@ -4,3 +4,5 @@ kind: Kustomization
 ## Append samples you want in your CSV to this file as resources ##
 resources:
 - _v1alpha1_llamastackdistribution.yaml
+- example-with-configmap.yaml
+- example-with-ca-bundle.yaml