MGMT-21406 Switch from Gemini to Vertex AI

Makefile

@@ -5,6 +5,7 @@
 	build-images \
 	build-inspector build-assisted-mcp build-lightspeed-stack build-lightspeed-plus-llama-stack build-ui \
 	generate run resume stop rm logs query query-int query-stage query-interactive mcphost test-eval psql sqlite help
+	deploy-template ci-test deploy-template-local
 
 all: help ## Show help information
 
@@ -32,10 +33,28 @@ build-ui: ## Build UI image
 	@echo "Building UI image..."
 	./scripts/build-images.sh ui
 
-.PHONY:
-deploy-template:
+deploy-template: ## Used by the CI. Deploys the template on the temporary CI cluster
 	scripts/deploy_template.sh
 
+ci-test: ## Used by the CI to test the assisted-chat services
+	./scripts/ci_test.sh
+
+deploy-template-local: ## Used to test the CI flow locally. Deploys the template on whatever cluster `oc` is currently logged in to
+	@echo "Setting up local secrets directory..."
+	@mkdir -p /tmp/secrets/vertex
+	@if [ -z "$(VERTEX_SERVICE_ACCOUNT_PATH)" ]; then \
+		echo "Error: VERTEX_SERVICE_ACCOUNT_PATH environment variable must be set"; \
+		exit 1; \
+	fi
+	@if [ -z "$(ASSISTED_CHAT_IMG)" ]; then \
+		echo "Error: ASSISTED_CHAT_IMG environment variable must be set"; \
+		exit 1; \
+	fi
+	@cp "$(VERTEX_SERVICE_ACCOUNT_PATH)" /tmp/secrets/vertex/service_account
+	@echo "Deploying template locally..."
+	oc create namespace assisted-chat || true
+	NAMESPACE=assisted-chat SECRETS_BASE_PATH=/tmp/secrets ASSISTED_CHAT_IMG="$(ASSISTED_CHAT_IMG)" scripts/deploy_template.sh
+
 generate: ## Generate configuration files
 	@echo "Generating configuration files..."
 	./scripts/generate.sh

scripts/ci_test.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+set -o nounset
+set -o errexit
+set -o pipefail
+
+SECRETS_BASE_PATH="${SECRETS_BASE_PATH:-/var/run/secrets}"
+
+oc create secret generic -n "$NAMESPACE" assisted-chat-ssl-ci --from-file=client_id=/var/run/secrets/sso-ci/client_id \
+    --from-file=client_secret=/var/run/secrets/sso-ci/client_secret
+
+oc process -p IMAGE_NAME="$ASSISTED_CHAT_TEST" -p SSL_CLIENT_SECRET_NAME=assisted-chat-ssl-ci -f test/prow/template.yaml --local | oc apply -n "$NAMESPACE" -f -
+
+sleep 5
+oc get pods -n "$NAMESPACE"
+POD_NAME=$(oc get pods | tr -s ' ' | cut -d ' ' -f1 | grep assisted-chat-eval-tes)
+
+TIMEOUT=600
+ELAPSED=0
+
+while [ $ELAPSED -lt $TIMEOUT ]; do
+    # Check if the pod's status is "Running"
+    CURRENT_STATUS=$(oc get pod "$POD_NAME" -n "$NAMESPACE" -o=jsonpath='{.status.phase}')
+    CURRENT_RESTARTS=$(oc get pod "$POD_NAME" -n "$NAMESPACE" -o=jsonpath='{.status.containerStatuses[0].restartCount}')
+    if [[ $CURRENT_RESTARTS -gt 0 ]]; then
+        echo "Pod ${POD_NAME} was restarted, so the tests should run at least once, exiting"
+        oc logs -n "$NAMESPACE" "$POD_NAME"
+        exit "$(oc get pod "$POD_NAME" -n "$NAMESPACE" -o=jsonpath='{.status.containerStatuses[0].lastState.terminated.exitCode}')"
+    fi
+    if [[ "$CURRENT_STATUS" == "Succeeded" ]]; then
+        echo "Pod ${POD_NAME} is successfully completed, exiting"
+        oc logs -n "$NAMESPACE" "$POD_NAME"
+        exit 0
+    fi
+    if [[ "$CURRENT_STATUS" == "Completed" ]]; then
+        echo "Pod ${POD_NAME} is successfully completed, exiting"
+        oc logs -n "$NAMESPACE" "$POD_NAME"
+        exit 0
+    fi
+
+    if [[ "$CURRENT_STATUS" == "Failed" ]]; then
+        echo "Pod ${POD_NAME} is Failed, exiting"
+        oc logs -n "$NAMESPACE" "$POD_NAME"
+        exit "$(oc get pod "$POD_NAME" -n "$NAMESPACE" -o=jsonpath='{.status.containerStatuses[0].lastState.terminated.exitCode}')"
+    fi
+
+    echo "Waiting for pod $POD_NAME to be ready..."
+    sleep 1
+    ELAPSED=$((ELAPSED + 1))
+done
+
+oc logs -n "$NAMESPACE" "$POD_NAME"
+
+echo "Timeout reached. Pod $POD_NAME did not become ready in time."
+exit 1

scripts/deploy_template.sh

@@ -4,32 +4,80 @@ set -o nounset
 set -o errexit
 set -o pipefail
 
+SECRETS_BASE_PATH="${SECRETS_BASE_PATH:-/var/run/secrets}"
+
 #All the secret are expected to be mounted under /var/run/secrets by the ci-operator
 
 #$ASSISTED_CHAT_IMG is not in repo/image:tag format but rather in repo/<image name>@sha256:<digest>
 #The template needs the tag, and it references the image by <image name>:<tag> so splitting the variable by ":" works for now
 
-echo $ASSISTED_CHAT_IMG
-IMAGE=$(echo $ASSISTED_CHAT_IMG | cut -d ":" -f1)
-TAG=$(echo $ASSISTED_CHAT_IMG | cut -d ":" -f2)
+echo "$ASSISTED_CHAT_IMG"
+IMAGE=$(echo "$ASSISTED_CHAT_IMG" | cut -d ":" -f1)
+TAG=$(echo "$ASSISTED_CHAT_IMG" | cut -d ":" -f2)
+
+# What secrets have we got?
+ls -laR "$SECRETS_BASE_PATH"
+
+if ! oc get secret -n "$NAMESPACE" vertex-service-account &>/dev/null; then
+    echo "Creating vertex-service-account secret in namespace $NAMESPACE"
+    oc create secret generic -n "$NAMESPACE" vertex-service-account --from-file=service_account="$SECRETS_BASE_PATH/vertex/service_account"
+fi
+
+if ! oc get secret -n "$NAMESPACE" insights-ingress &>/dev/null; then
+    echo "Creating insights-ingress secret in namespace $NAMESPACE"
+    oc create secret generic -n "$NAMESPACE" insights-ingress --from-literal=auth_token="dummy-token"
+fi
+
+if ! oc get secret -n "$NAMESPACE" llama-stack-db &>/dev/null; then
+    echo "Creating llama-stack-db secret with local postgres credentials in namespace $NAMESPACE"
+    oc create secret generic -n "$NAMESPACE" llama-stack-db \
+        --from-literal=db.host=postgres-service \
+        --from-literal=db.port=5432 \
+        --from-literal=db.name=assistedchat \
+        --from-literal=db.user=assistedchat \
+        --from-literal=db.password=assistedchat123 \
+        --from-literal=db.ca_cert=""
+fi
+
+if ! oc get secret -n "$NAMESPACE" postgres-secret &>/dev/null; then
+    echo "Creating postgres-secret in namespace $NAMESPACE"
+
+    oc create secret generic -n "$NAMESPACE" postgres-secret \
+        --from-literal=POSTGRESQL_DATABASE=assistedchat \
+        --from-literal=POSTGRESQL_USER=assistedchat \
+        --from-literal=POSTGRESQL_PASSWORD=assistedchat123
+fi
 
-oc create secret generic -n $NAMESPACE gemini-api-key --from-file=api_key=/var/run/secrets/gemini/api_key
-oc create secret generic -n $NAMESPACE llama-stack-db --from-file=db.ca_cert=/var/run/secrets/llama-stack-db/db.ca_cert \
-                                                      --from-file=db.host=/var/run/secrets/llama-stack-db/db.host \
-                                                      --from-file=db.name=/var/run/secrets/llama-stack-db/db.name \
-                                                      --from-file=db.password=/var/run/secrets/llama-stack-db/db.password \
-                                                      --from-file=db.port=/var/run/secrets/llama-stack-db/db.port \
-                                                      --from-file=db.user=/var/run/secrets/llama-stack-db/db.user
+if ! oc get deployment -n "$NAMESPACE" postgres &>/dev/null; then
+    echo "Creating postgres deployment in namespace $NAMESPACE"
+    oc create deployment -n "$NAMESPACE" postgres --image=quay.io/sclorg/postgresql-16-c9s:c9s
+    oc set env -n "$NAMESPACE" deployment/postgres --from=secret/postgres-secret
+fi
 
-patch template.yaml -i test/prow/template_patch.diff
-echo "GEMINI_API_KEY=$(cat /var/run/secrets/gemini/api_key)" > .env
-make generate
-sed -i 's/user_id_claim: sub/user_id_claim: client_id/g' config/lightspeed-stack.yaml
-sed -i 's/username_claim: preferred_username/username_claim: clientHost/g' config/lightspeed-stack.yaml
+if ! oc get service -n "$NAMESPACE" postgres-service &>/dev/null; then
+    echo "Creating postgres service in namespace $NAMESPACE"
+    oc expose -n "$NAMESPACE" deployment/postgres --name=postgres-service --port=5432
+fi
 
-oc process -p IMAGE=$IMAGE -p IMAGE_TAG=$TAG -p GEMINI_API_SECRET_NAME=gemini-api-key -p ASSISTED_CHAT_DB_SECRET_NAME=llama-stack-db -f template.yaml --local | oc apply -n $NAMESPACE -f -
+if ! oc get routes -n "$NAMESPACE" &>/dev/null; then
+    # Don't apply routes on clusters that don't have routes (e.g. minikube)
+    FILTER='select(.kind != "Route")'
+else
+    FILTER='.'
+fi
 
+oc process \
+    -p IMAGE="$IMAGE" \
+    -p IMAGE_TAG="$TAG" \
+    -p VERTEX_API_SECRET_NAME=vertex-service-account \
+    -p ASSISTED_CHAT_DB_SECRET_NAME=llama-stack-db \
+    -p USER_ID_CLAIM=client_id \
+    -p USERNAME_CLAIM=clientHost \
+    -p LIGHTSSPEED_STACK_POSTGRES_SSL_MODE=disable \
+    -p LLAMA_STACK_POSTGRES_SSL_MODE=disable \
+    -f template.yaml --local |
+    jq '. as $root | $root.items = [$root.items[] | '"$FILTER"']' |
+    oc apply -n "$NAMESPACE" -f -
 
 sleep 5
-POD_NAME=$(oc get pods -n $NAMESPACE | tr -s ' ' | cut -d ' ' -f1| grep assisted-chat)
-oc wait --for=condition=Ready pod/$POD_NAME --timeout=300s
+oc wait --for=condition=Available deployment/assisted-chat -n "$NAMESPACE" --timeout=300s

scripts/generate.sh

@@ -19,6 +19,16 @@ if [[ ! -f "$PROJECT_ROOT/.env" ]]; then
             read -sr GEMINI_API_KEY
             echo "GEMINI_API_KEY=$GEMINI_API_KEY" >"$PROJECT_ROOT/.env"
             chmod 600 "$PROJECT_ROOT/.env"
+
+            echo 'Gemini key successfully configured.'
+
+            # Create a dummy Vertex AI service account credentials file
+            if [[ ! -f "$PROJECT_ROOT/config/vertex-credentials.json" ]]; then
+                echo 'Also creating a dummy Vertex AI service account credentials file at config/vertex-credentials.json. If you want to use to be able to use both, modify config/vertex-credentials.json manually.'
+                echo '{}' >"$PROJECT_ROOT/config/vertex-credentials.json"
+                chmod 600 "$PROJECT_ROOT/config/vertex-credentials.json"
+            fi
+
         elif [[ "$auth_type" == "v" || "$auth_type" == "V" ]]; then
             echo 'Please enter the path to your Vertex AI service account credentials file:'
             read -r VERTEX_AI_SERVICE_ACCOUNT_CREDENTIALS_PATH
@@ -27,6 +37,15 @@ if [[ ! -f "$PROJECT_ROOT/.env" ]]; then
                 exit 1
             fi
 
+            if [[ -f "$PROJECT_ROOT/config/vertex-credentials.json" ]]; then
+                echo "File $PROJECT_ROOT/config/vertex-credentials.json already exists. Do you want to overwrite it? (y/n)"
+                read -r overwrite
+                if [[ "$overwrite" != "y" && "$overwrite" != "Y" ]]; then
+                    echo "Exiting without copying."
+                    exit 1
+                fi
+            fi
+
             echo "$VERTEX_AI_SERVICE_ACCOUNT_CREDENTIALS_PATH will be copied to $PROJECT_ROOT/config/vertex-credentials.json, do you want to continue? (y/n)"
             read -r should_copy
             if [[ "$should_copy" != "y" && "$should_copy" != "Y" ]]; then
@@ -43,6 +62,8 @@ if [[ ! -f "$PROJECT_ROOT/.env" ]]; then
             echo GEMINI_API_KEY="dummy" >"$PROJECT_ROOT/.env"
             chmod 600 "$PROJECT_ROOT/.env"
 
+            echo "Vertex credentials successfully configured."
+
             echo "Your Gemini API key will be set to a dummy value, as it is not needed for Vertex AI service account authentication, if you want to be able to use both, modify .env manually."
         else
             echo "Invalid choice. Exiting."

template-params.dev.env

@@ -4,3 +4,4 @@ LLAMA_CLIENT_CONFIG_PATH=llama_stack_client_config.yaml
 LIGHTSPEED_TRANSCRIPTS_ENABLED=false
 LIGHTSPEED_FEEDBACK_ENABLED=false
 DISABLE_QUERY_SYSTEM_PROMPT=false
+ASSISTED_CHAT_DEFAULT_MODEL=gemini/gemini-2.0-flash