Merge remote-tracking branch 'upstream/main' into issue-238-multi-arch

# Conflicts:
#	.github/workflows/build-and-push.yaml

Author: ruivieira

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    assignees:
+      - ruivieira
+    reviewers:
+      - ruivieira

.github/workflows/build-and-push.yaml

@@ -23,6 +23,10 @@ jobs:
   # Ensure that tests pass before publishing a new image.
   build-and-push-ci:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: write
     steps: # Assign context variable for various action contexts (tag, main, CI)
       - name: Assigning CI context
         if: github.head_ref != '' && github.head_ref != 'main' && !startsWith(github.ref, 'refs/tags/v')
@@ -56,6 +60,10 @@ jobs:
           echo "GITHUB.HEAD_REF: ${{ github.head_ref }}"
           echo "SHA: ${{ github.event.pull_request.head.sha }}"
           echo "MAIN IMAGE AT: ${{ vars.QUAY_RELEASE_REPO }}:latest"
+          echo "LMES DRIVER IMAGE AT: ${{ vars.QUAY_RELEASE_LMES_DRIVER_REPO }}:latest"
+          echo "LMES JOB IMAGE AT: ${{ vars.QUAY_RELEASE_LMES_JOB_REPO }}:latest"
+          echo "GUARDRAILS ORCH IMAGE AT: ${{ vars.QUAY_RELEASE_GUARDRAILS_REPO }}:latest"
+
           echo "CI IMAGE AT: quay.io/trustyai/trustyai-service-operator-ci:${{ github.event.pull_request.head.sha }}"
       #
       # Set environments depending on context
@@ -64,39 +72,58 @@ jobs:
         run: |
           echo "TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
           echo "IMAGE_NAME=quay.io/trustyai/trustyai-service-operator-ci" >> $GITHUB_ENV
+          echo "DRIVER_IMAGE_NAME=quay.io/trustyai/ta-lmes-driver-ci" >> $GITHUB_ENV
+          echo "JOB_IMAGE_NAME=quay.io/trustyai/ta-lmes-job-ci" >> $GITHUB_ENV
+          echo "ORCH_IMAGE_NAME=quay.io/trustyai/ta-guardrails-orchestrator-ci" >> $GITHUB_ENV
+
       - name: Set main-branch environment
         if:  env.BUILD_CONTEXT == 'main'
         run: |
           echo "TAG=latest" >> $GITHUB_ENV
           echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
+          echo "DRIVER_IMAGE_NAME=${{ vars.QUAY_RELEASE_LMES_DRIVER_REPO }}" >> $GITHUB_ENV
+          echo "JOB_IMAGE_NAME=${{ vars.QUAY_RELEASE_LMES_JOB_REPO }}" >> $GITHUB_ENV
+          echo "ORCH_IMAGE_NAME=${{ vars.QUAY_RELEASE_GUARDRAILS_REPO }}" >> $GITHUB_ENV
+
       - name: Set tag environment
         if: env.BUILD_CONTEXT == 'tag'
         run: |
           echo "TAG=${{ github.ref_name }}" >> $GITHUB_ENV
           echo "IMAGE_NAME=${{ vars.QUAY_RELEASE_REPO }}" >> $GITHUB_ENV
+          echo "DRIVER_IMAGE_NAME=${{ vars.QUAY_RELEASE_LMES_DRIVER_REPO }}" >> $GITHUB_ENV
+          echo "JOB_IMAGE_NAME=${{ vars.QUAY_RELEASE_LMES_JOB_REPO }}" >> $GITHUB_ENV
+          echo "ORCH_IMAGE_NAME=${{ vars.QUAY_RELEASE_GUARDRAILS_REPO }}" >> $GITHUB_ENV
 
-       # Run docker commands
+      # Run docker commands
       - name: Put expiry date on CI-tagged image
         if:  env.BUILD_CONTEXT == 'ci'
         run: sed -i 's#summary="odh-trustyai-service-operator\"#summary="odh-trustyai-service-operator" \\ \n      quay.expires-after=7d#' Dockerfile
       - name: Log in to Quay
         run: docker login -u ${{ secrets.QUAY_ROBOT_USERNAME }} -p ${{ secrets.QUAY_ROBOT_SECRET }} quay.io
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: Build and Push Image
-        uses: docker/build-push-action@v3
-        with:
-          tags: ${{ env.IMAGE_NAME }}:${{ env.TAG }}
-          platforms: linux/amd64,linux/s390x,linux/ppc64le
-          push: true
+      - name: Build main image
+        run: docker build -t ${{ env.IMAGE_NAME }}:$TAG .
+      - name: Push main image to Quay
+        run: docker push ${{ env.IMAGE_NAME }}:$TAG
+      - name: Build LMES driver image
+        run: docker build -f Dockerfile.driver -t ${{ env.DRIVER_IMAGE_NAME }}:$TAG .
+      - name: Push LMES driver image to Quay
+        run: docker push ${{ env.DRIVER_IMAGE_NAME }}:$TAG
+      - name: Build LMES job image
+        run: docker build -f Dockerfile.lmes-job -t ${{ env.JOB_IMAGE_NAME }}:$TAG .
+      - name: Push LMES job image to Quay
+        run: docker push ${{ env.JOB_IMAGE_NAME }}:$TAG
+      - name: Build Guardrails orchestrator image
+        run: docker build -f Dockerfile.orchestrator -t ${{ env.ORCH_IMAGE_NAME }}:$TAG .
+      - name: Push Guardrails orchestrator image to Quay
+        run: docker push ${{ env.ORCH_IMAGE_NAME }}:$TAG
 
       # Create CI Manifests
       - name: Set up manifests for CI
         if: env.BUILD_CONTEXT == 'ci'
         run: |
           sed -i "s#quay.io/trustyai/trustyai-service-operator:latest#${{ env.IMAGE_NAME }}:$TAG#" ./config/base/params.env
+          sed -i "s#quay.io/trustyai/trustyai-service-operator:latest#${{ env.IMAGE_NAME }}:$TAG#" ./config/overlays/odh/params.env
+          sed -i "s#quay.io/trustyai/trustyai-service-operator:latest#${{ env.IMAGE_NAME }}:$TAG#" ./config/overlays/rhoai/params.env
           rm -Rf $(ls . | grep -v config)
           rm -Rf .gitignore .dockerignore .github .git .yamllint.yaml
       # pysh to ci-manifest repo
@@ -116,12 +143,14 @@ jobs:
       - uses: peter-evans/find-comment@v3
         name: Find Comment
         id: fc
+        if: env.BUILD_CONTEXT == 'ci'
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: 'github-actions[bot]'
           body-includes: PR image build and manifest generation completed successfully
       - uses: peter-evans/create-or-update-comment@v4
         name: Generate/update success message comment
+        if: env.BUILD_CONTEXT == 'ci'
         with:
           comment-id: ${{ steps.fc.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}
@@ -131,5 +160,34 @@ jobs:
 
             📦 [PR image](https://quay.io/trustyai/trustyai-service-operator-ci:${{ github.event.pull_request.head.sha }}): `quay.io/trustyai/trustyai-service-operator-ci:${{ github.event.pull_request.head.sha }}`
 
+            📦 [LMES driver image](https://quay.io/trustyai/ta-lmes-driver:${{ github.event.pull_request.head.sha }}): `quay.io/trustyai/ta-lmes-driver:${{ github.event.pull_request.head.sha }}`
+
+            📦 [LMES job image](https://quay.io/trustyai/ta-lmes-job:${{ github.event.pull_request.head.sha }}): `quay.io/trustyai/ta-lmes-job:${{ github.event.pull_request.head.sha }}`
+
+            📦 [Guardrails orchestrator image](https://quay.io/trustyai/ta-guardrails-orchestrator:${{ github.event.pull_request.head.sha }}): `quay.io/trustyai/ta-guardrails-orchestrator:${{ github.event.pull_request.head.sha }}`
+
             🗂️ [CI manifests](https://github.com/trustyai-explainability/trustyai-service-operator-ci/tree/operator-${{ env.TAG }})
 
+            ```
+            devFlags:
+              manifests:
+                - contextDir: config
+                  sourcePath: ''
+                  uri: https://api.github.com/repos/trustyai-explainability/trustyai-service-operator-ci/tarball/operator-${{ env.TAG }}
+            ```
+      - name: Trivy scan
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'image'
+          image-ref: "${{ env.IMAGE_NAME }}:${{ env.TAG }}"
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+          exit-code: '0'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+
+      - name: Update Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/controller-tests.yaml

@@ -13,7 +13,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.19.0'
+          go-version: '1.21.12'
 
       - name: Download & install envtest binaries
         run: |

.github/workflows/smoke.yaml

@@ -1,64 +1,64 @@
 name: Smoke test
 
 on:
-    pull_request:
-        branches:
-            - main
+  pull_request:
+    branches:
+      - main
 
 jobs:
-    deploy:
-        runs-on: ubuntu-latest
-        steps:
-            - name: Checkout
-              uses: actions/checkout@v2
+  deploy:
+    runs-on: ubuntu-latest
+    env:
+      PR_NUMBER: ${{ github.event.pull_request.number || 'default-pr-number' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
 
-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
 
-            - name: Build and push operator container image
-              uses: docker/build-push-action@v2
-              with:
-                  context: .
-                  file: ./Dockerfile
-                  load: true
-                  tags: smoke/operator:pr-${{ github.event.pull_request.number || env.PR_NUMBER }}
+      - name: Build and push operator container image
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          load: true
+          tags: smoke/operator:pr-${{ github.event.pull_request.number || env.PR_NUMBER }}
 
-            - name: Create k8s Kind Cluster
-              uses: helm/kind-action@v1
-              with:
-                  node_image: kindest/node:v1.24.17
-                  cluster_name: kind
+      - name: Create k8s Kind Cluster
+        uses: helm/kind-action@v1
+        with:
+          node_image: kindest/node:v1.24.17
+          cluster_name: kind
 
-            - name: Load the operator image into Kind
-              run: |
-                  kind load docker-image smoke/operator:pr-${{ github.event.pull_request.number || env.PR_NUMBER }}
+      - name: Load the operator image into Kind
+        run: |
+          kind load docker-image smoke/operator:pr-${{ github.event.pull_request.number || env.PR_NUMBER }}
 
-            - name: Install kustomize
-              run: |
-                  curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
-                  sudo mv kustomize /usr/local/bin/
+      - name: Install kustomize
+        run: |
+          curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
+          sudo mv kustomize /usr/local/bin/
 
-            - name: Apply CRDs
-              run: |
-                  kubectl apply -f tests/crds/monitoring.coreos.com_servicemonitors.yaml
-                  kubectl apply -f tests/crds/route_crd.yaml
-                  kubectl apply -f tests/crds/serving.kserve.io_inferenceservices.yaml
-                  kubectl apply -f tests/crds/serving.kserve.io_servingruntimes.yaml
-                  kustomize build config/crd | kubectl apply -f -
+      - name: Apply CRDs
+        run: |
+          kubectl apply -f tests/crds/monitoring.coreos.com_servicemonitors.yaml
+          kubectl apply -f tests/crds/route_crd.yaml
+          kubectl apply -f tests/crds/serving.kserve.io_inferenceservices.yaml
+          kustomize build config/crd | kubectl apply -f -
 
-            - name: Update params.env file
-              run: |
-                  sed -i 's|trustyaiOperatorImage=quay.io/trustyai/trustyai-service-operator:latest|trustyaiOperatorImage=smoke/operator:pr-${{ github.event.pull_request.number || env.PR_NUMBER }}|' config/base/params.env
+      - name: Update params.env file
+        run: |
+          sed -i 's|trustyaiOperatorImage=quay.io/trustyai/trustyai-service-operator:latest|trustyaiOperatorImage=smoke/operator:pr-${{ github.event.pull_request.number || env.PR_NUMBER }}|' config/base/params.env
 
-            - name: Deploy the operator with kustomize
-              run: |
-                  kubectl create namespace system
-                  kustomize build config/base | kubectl apply -f -
-
-            - name: Run smoke tests
-              run: ./tests/smoke/test_smoke.sh
+      - name: Deploy the operator with kustomize
+        run: |
+          kubectl create namespace system
+          kustomize build config/base | kubectl apply -n system -f -
 
+      - name: Run smoke tests
+        run: ./tests/smoke/test_smoke.sh
 
 env:
-    PR_NUMBER: "default-pr-number"
-    KUBECONFIG: "${HOME}/.kube/config"
+  PR_NUMBER: "default-pr-number"
+  KUBECONFIG: "${HOME}/.kube/config"

.yamllint.yaml

@@ -6,4 +6,6 @@ rules:
     level: warning
   hyphens:
     max-spaces-after: 1
-    level: warning
+    level: warning
+  indentation:
+    indent-sequences: consistent

CONTRIBUTING.md

@@ -0,0 +1,66 @@
+# Contributing to the TrustyAI Operator
+
+Thanks for your interest in the TrustyAI operator project! You can contribute to this project in various ways: filing bug reports, proposing features, submitting pull requests (PRs), and improving documentation.
+
+Before you begin, please take a look at our contribution guidelines below to ensure that your contribuutions are aligned with the project's goals.
+
+## Reporting Issues
+Issues are tracked using [Github](https://github.com/trustyai-explainability/trustyai-service-operator/issues). If you encounter a bug or have suggestions for enhancements, please follow the steps below:
+
+1. **Check for Existing Issues:** Before creating a new issue, search the Github project to see if a similar issue already exists.
+2. **Create a Github issue:** If the issue doesn’t exist, create a new ticket in Github.
+    - **For Feature Requests:**  Set the label as `feature`
+    - **For Bugs:** Set the label to `kind/bug`
+    - **For all other code changes:** Use the issue type `kind/enhancement`
+    - Add to the "TrustyAI planning" in "Projects"
+      - And specify "Component" as "Operator" 
+
+## Pull Requests
+
+### Workflow
+
+1. **Fork the Repository:** Create your own fork of the repository to work on your changes.
+2. **Create a Branch:** Create your own branch to include changes for the feature or a bug fix off of `main` branch.
+3. **Work on Your Changes:** Commit often, and ensure your code passes all the test for the operator.
+4. **Testing:** Make sure your code passes all the tests, including any new tests you've added. And that your changes do not decrease the test coverage as shown on report. Every new feature should come with unit tests that cover that new part of the code.
+
+### Open a Pull Request:
+
+1. **Link to Github Issue**: Include the Github issue link in your PR description.
+2. **Description**: Provide a detailed description of the changes and what they fix or implement.
+3. **Add Testing Steps**: Provide information on how the PR has been tested, and list out testing steps if any for reviewers.
+4. **Review Request**: Tag the relevant maintainers(`@trustyai-explainability/developers`) for a review.
+5. **Resolve Feedback**: Be open to feedback and iterate on your changes.
+
+### Quality Gates
+
+To ensure the contributed code adheres to the project goals, we have set up some automated quality gates:
+
+1. [linters](https://github.com/trustyai-explainability/trustyai-service-operator/actions/workflows/lint-yaml.yaml): Ensure the check for linters is successful.
+2. [smoke tests](https://github.com/trustyai-explainability/trustyai-service-operator/actions/workflows/smoke.yaml): Ensure the operator passes the smoke tests
+3. [unit-tests](https://github.com/trustyai-explainability/trustyai-service-operator/actions/workflows/controller-tests.yaml): Ensure unit tests pass.
+4. e2e-tests: Ensure OpenShift CI job for e2e tests pass.
+
+### Code Style Guidelines
+
+1. Follow the Go community’s best practices, which can be found in the official [Effective Go](https://go.dev/doc/effective_go) guide.
+2. Follow the best practices defined by the [Operator SDK](https://sdk.operatorframework.io/docs/best-practices/).
+3. Use `go fmt` to automatically format your code.
+4. Ensure you write clear and concise comments, especially for exported functions.
+5. Always check and handle errors appropriately. Avoid ignoring errors by using _.
+6. Make sure to run `go mod tidy` before submitting a PR to ensure the `go.mod` and `go.sum` files are up-to-date.
+
+### Commit Messages
+
+We follow the conventional commits format for writing commit messages. A good commit message should include:
+1. **Type:** `fix`, `feat`, `docs`, `chore`, etc. **Note:** All `fix` and `feat` commits require an associated issue. Please add link to your Github issue. 
+   1. Security fixes should be in the format `fix(CVE-xxx): `
+2. **Scope:** A short description of the area affected.
+3. **Summary:** A brief explanation of what the commit does.
+
+## Communication
+
+For general questions, feel free to open a discussion in our repository or communicate via:
+
+- **Comments**: Feel free to discuss issues directly on Github issues.
+- **Discussions**: Alternatively, use [Github discussions](https://github.com/orgs/trustyai-explainability/discussions)

Dockerfile

@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM registry.access.redhat.com/ubi8/go-toolset:1.20 as builder
+FROM registry.access.redhat.com/ubi8/go-toolset:1.23 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -12,7 +12,7 @@ COPY go.sum go.sum
 RUN go mod download
 
 # Copy the go source
-COPY main.go main.go
+COPY cmd/ cmd/
 COPY api/ api/
 COPY controllers/ controllers/
 
@@ -22,7 +22,7 @@ COPY controllers/ controllers/
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
 USER root
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details